Embed Size (px)
Citation preview
The Internet of Things (IoT) and Cybersecurity:
Is Your Phone Hacking Your Company?
The 2019 Corporate Risk, Ethics & Compliance Forum
The Metropolitan Club of Chicago
September 26, 2019
REUTERS / Firstname Lastname
Panelists:
Akin Akinbosoye, Director of Cybersecurity, MxD
Christina Ayiotis, Vice President, Renaissance Information Governance and Privacy, OCC
Matthew Baciak, Counsel, Global Privacy, Hyatt Hotels Corporation
Moderator:
Joseph Raczynski, Technologist, Large & Medium Law Firms, Thomson Reuters
The Internet of Things (IoT) and Cybersecurity:
Is Your Phone Hacking Your Company?
Introduction to Discussion
5 Edit presentation title on Slide Master using Insert > Header & Footer
2-column content with subhead slide
Hackers built proof-of-concept malware
that can spread from turbine to turbine
to paralyze or damage them…
Using a $5 Raspberry Pi
6 Edit presentation title on Slide Master using Insert > Header & Footer
How a Bug in an Obscure Chip Exposed a Billion
Smartphones to Hackers…
When IoT Attacks…When IoT Attacks…
8 Edit presentation title on Slide Master using Insert > Header & Footer
Chinese hackers cracked into a Tesla by having it
connect to a rouge WiFi connection and were able
to disable its brakes. Later they found a way to do
the same with its cell chipset…
What is Security Worth to You?
30 % Filled Out The Survey 70 % Filled Out The Survey
Rob May - TEDx
CASE STUDY
How One of the World’s Largest Law Firms Was Paralyzed by Petya…
– If it can happen to them, it can happen to anyone.
Jonathan Crowe – Barkley Blog
Victim
@joerazz
Tuesday June 27, 2017• 5:48am: Reports of a major cyber attack
first reported targeting companies primarily in Ukraine.
• 6am: ”The Firm’s” Madrid office experiences signs of infection and is immediately locked down.
• 7:37am: ”The Firm’s” phone lines are reported down.
• 7:55am: The firm’s web portal, used to access sensitive documents, is reported down, as well.
• Tuesday morning: Firm employees are instructed via text message alert system not to start their computers or connect to the Firm network.
It begins…
@joerazz
Tuesday June 27, 2017
• 9:36am: “The Firm” issues a statement confirming suspicious activity was detected on its network that appears to be related to Petyaoutbreak, says IT team acted quickly to prevent the spread.
• 10am: Photo of a whiteboard outside the firm’s D.C. office alerting firm employees the network is down and not to turn on computers is posted on Twitter.
• Tuesday afternoon: Firm employees are instructed via text to continue to work as much as possible with limited firm technology and to leave the office at 3pm with permission.
Wednesday, June 28 (+1 day following attack)
• 6:42am: Firm issues second statement announcing it is working closely with leading external forensic experts and relevant authorities, including the FBI.
• Wednesday morning: Firm employees notified via text alert system that offices are open, phones are operational, and email should be back up and running within hours.
• Wednesday evening: Firm employees notified via text progress has been slower than expected, and document management and email systems are expected to be functioning by Thursday morning.
@joerazz
Monday, July 3 (+6 days following attack)
• 1am: Six days following the attack, the firm
announces email has been restored, but
other systems are still in the process of being
brought back online. It also confirms no
evidence suggests client data had been
exfiltrated or compromised, though
investigation is still ongoing.
@joerazz
Thursday, July 6 (+9 days following attack)
• Thursday morning: Sources briefed
on the firm's recovery indicate that
while email has been restored, the firm
has yet to regain complete access to
emails sent or received before the
attack, and that some staff are still
unable to access documents directly.
• Thursday afternoon: The firm issues
another statement acknowledging
bringing all systems back online may
take time, but that offices are open
and the firm is advising clients.
@joerazz
Monday, July 10 (+13 days following attack)
• 4:35am: Firm issues another
statement thanking clients and partners for
their patience and acknowledging that while
email and other tools central to client
services are safely back online, other major
systems are still being restored.
@joerazz
Lessons Learned
1. Attack Prevention – “The Firm” acted quickly but detection is not the primary key
2. Everyone Has A Plan – Before the attack “The Firm” had published "9 things you should know to protect your company from the next attack“
3. No Firm Is Immune – “The Firm” was rated as a very good when it came to cybersecurity plan
@joerazz
Other Lessons
• Do you have phone numbers of your vendors personal contacts?
• Do you have an offline inventory of all logins and passwords?
• Do you have personal email addresses and cell phones of all employees?
• Have you completed a fire drill?
@joerazz
Discussion
21
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company?
Yes, your office copy machine, microwave and coffee maker could lead to a data
breach. Once upon a time, wireless networks were utilized solely by computers.
Today, however, wireless networks are utilized by computers, smartphones and
other technologies that can transmit and receive seemingly limitless amounts of
data—an attractive opportunity for cyber-criminals.
This panel closely examines:
• Weak spots or vulnerabilities within the Internet of Things (IoT);
• The importance of establishing training and policy guidelines for employees and IT
personnel;
• The role of both corporate and outside counsel in protecting a company’s data, digital
assets and intelligence;
• Developing an effective data breach incident response plan; and
• Essential insurance considerations.
Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company?
The Big Picture: A Truly Global Internet
• F-Secure Attack Landscape H12019 https://s3-eu-central-1.amazonaws.com/evermade-fsecure-assets/wp-content/uploads/2019/09/12093807/2019_attack_landscape_report.pdf
• “ . . internet of things (IoT) device insecurity has emerged as a top concern and top driver of internet attack traffic in the first half of 2019 . . .largest share of attack traffic, 760 million events, was measured on the Telnet protocol . . .malware found in the honeypots was dominated by various versions of Mirai, which infects IoT devices that use default credentials and co-opts those devices into botnets that conduct DDoS attacks.” Melissa Michael, Attack Landscape H1 2019: IoT, SMB traffic abound F-Secure Blog (September 19, 2019) https://blog.f-secure.com/attack-landscape-h1-2019-iot-smb-traffic-abound/
• India most attacked nation in the IoT space in second quarter of 2019
• Cyberattacks grew 22% on India’s IoT deployments in Q2 (August 9, 2019) https://economictimes.indiatimes.com/tech/internet/cyberattacks-grew-22-on-indias-iot-deployments-in-q2/articleshow/70606639.cms?utm_source%3Dtwitter_web%26utm_medium%3Dsocial%26utm_campaign%3Dsocialsharebuttons
23 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company?
The Big Picture: A Truly Global Internet
• The ADVERSARY is not just your friendly neighborhood cyber/criminal (Nation State
actors; Terrorists, etc.)
• Microsoft has been tracking hackers (Strontium, Fancy Bear, APT28) linked to Russian
spy agencies who use internet-connected phones and printers to break into corporate
networks Patrick Howell O’Neill, Russian hackers are infiltrating companies via the
office printer MIT Technology Review (August 5, 2019)
https://www.technologyreview.com/f/614062/russian-hackers-fancy-bear-strontium-
infiltrate-iot-networks-microsoft-report/
• Got access because IoT devices deployed with default passwords or because latest security
update was not applied
• Hackers move “from one device to another, establishing persistence and mapping the network”
24 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company?
The Big Picture: A Truly Global Internet
• The ADVERSARY is not just your friendly neighborhood cyber/criminal (Nation State actors; Terrorists, etc.)
• “ . . .critics speculate that the Chinese firm could incorporate technology into the cars that would allow CRRC – and the Chinese government – to track the faces, movement, conversations or phone calls of passengers through the train’s cameras or Wi-Fi. . . risks of giving a Chinese company the ability to monitor or control American infrastructure could not be understated given recent laws requiring Chinese companies to turn data to Beijing upon request.” Ana Swanson, Fearing ‘Spy Trains,’ Congress May Ban a Chinese Maker of Subway Cars (September 15, 2019) THE NEW YORK TIMES https://www.nytimes.com/2019/09/14/business/chinese-train-national-security.html?action=click&module=Top%20Stories&pgtype=Homepage
($100 Million new factory in Chicago built by a Chinese state-owned company)
• UK National Cyber Security Centre, Weekly Threat Report 13th September 2019 https://www.ncsc.gov.uk/report/weekly-threat-report-13th-september-2019
• More than a million IoT radio devices affected by backdoor vulnerability – Telestar Digital GmbH
25 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company? IoT Security Laws
UK
• Department for Digital, Culture, Media & Sport, The Government’s Code of Practice for Consumer Internet of Things (IoT) Security for manufacturers, with guidance for consumers on smart devices at home (Last updated June 6, 2019) https://www.gov.uk/government/collections/secure-by-design
US - PASSED (California and Oregon laws to take effect January 1, 2020)
• Oregon- H.B. 2395: Relating to security measures required for devices that connect to the Internet; creating new provisions; and amending ORS 646.607https://olis.leg.state.or.us/liz/2019R1/Downloads/MeasureDocument/HB2395/Enrolled
• Requires manufacturers of “connected devices” to equip them with “reasonable security features”
• California- SB-327 Information privacy: connected devices (September 2018)—Security of Connected Devices https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
US - PROPOSED
• Illinois- H.B. 3391 Security of Connected Devices Act http://www.ilga.gov/legislation/BillStatus.asp?DocNum=3391&GAID=15&DocTypeID=HB&LegId=119982&SessionID=108&GA=101
• Maryland- (S. 553/H.B. 1276) Security Feature for Connected Devices – Requirements, Procurement Preferences, and Reports http://mgaleg.maryland.gov/webmga/frmMain.aspx?id=hb1276&stab=01&pid=billpage&tab=subject3&ys=2019RS
26 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company?
Federal Activity Regarding IoT Security
• Proposed Securing Internet of Things Cybersecurity Improvement Act of 2019
• Congressional Budget Office (September 13, 2019) transmitted a cost estimate
https://www.cbo.gov/publication/55625
• Proposed? Securing the Internet of Things Act of 2017
• Cybersecurity standards for certain radio frequency equipment https://www.congress.gov/bill/115th-
congress/house-bill/1324/text
• Proposed Cyber Shield Act of 2017 https://www.govtrack.us/congress/bills/115/hr4163
• Proposed State of Modern Application, Research, and Trends of IoT Act or the SMART
IoT Act https://www.congress.gov/bill/115th-congress/house-bill/6032
27 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company?
Federal Activity Regarding IoT Security
• U.S. Consumer Product Safety Commission
• A FRAMEWORK OF SAFETY for the Internet of Things: Considerations for Consumer
Product Safety (January 2019) https://www.cpsc.gov/s3fs-
public/A_Framework_for_Safety_Across_the_Internet_of_Things_1-31-
2019_0.pdf?1KJ.t4Tn04v9OtEBr2s0wyLAP.KsuuQ3
• “Ensure transparency in data collection, data sharing, and data use so that consumers can make
informed decisions about their own data and potential risks that may arise from the repurposing of that
data. Ensure clear privacy policy statements.”
• “Products worn on or in the body (‘wearables’ or implants)– Address information security and privacy . .
.Address risks of defects, flaws, vulnerabilities, malfunctions, performance manipulation of the product . .
. leading to potential criminalization/weaponization.”
28 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company? NIST June 2019 Considerations for Managing Internet of Things (IoT) Cybersecurity and
Privacy Risks (NISTIR 8228) https://csrc.nist.gov/publications/detail/nistir/8228/final
• ” . . . expanding collection of diverse technologies that interact with the physical
world”
• “ . . . convergence of cloud computing, mobile computing, embedded systems, big
data, low-price hardware, and other technological advances”
• Differences between managing IoT vs. Conventional IT devices
• IoT devices interact with physical world differently
• Many IoT devices cannot be accessed, managed, or monitored in the same way
• The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities
are often different
29 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company? NIST June 2019 Considerations for Managing Internet of Things (IoT) Cybersecurity and
Privacy Risks (NISTIR 8228) https://csrc.nist.gov/publications/detail/nistir/8228/final
• High-level risk mitigation strategies
• Protecting Device Security
• Asset Management, Vulnerability Management, Access Management, Device Security
Incident Detection
• Protecting Data Security
• Data Protection, Data Security Incident Detection
• Protecting Individuals’ Privacy
• Information Flow Management, PII Processing Permissions Management, Informed Decision
Making, Disassociated Data Management, Privacy Breach Detection
30 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company? The convergence of IT, OT, and Managing Cyber Risk
• Zero Days-- 2016 Alex Gibney documentary about Stuxnet
• Ghost Fleet– 2015 P.W. Singer & August Cole novel
Detecting and Protecting Against Data Integrity Attacks in Industrial Control Systems Environments: Cybersecurity for the Manufacturing Sector
• The National Cybersecurity Center of Excellence released a June 2019 DRAFT (Public comment closed July 25, 2019)
• NCCoE will leverage NIST Engineering Laboratory “to provide a comprehensive approach that manufacturing organizations can use to address the challenge of protecting ICS against data integrity attacks by leveraging . . . behavioral anomaly detection, security incident and event monitoring, ICS application whitelisting, malware detection and mitigation, change control management, user authentication and authorization, access control least privilege, and file-integrity checking mechanisms” [EMPHASIS ADDED]
31 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company?
Industry 4.0
Good Practices for Security of Internet of Things in the context of Smart Manufacturing—
November 2018 ENISA Report https://www.enisa.europa.eu/publications/good-
practices-for-security-of-iot
– Smart Manufacturing defined as “next-generation industrial manufacturing processes
and systems built on emerging information and communication technologies in line with
Industry 4.0, such as additive manufacturing, advanced analytics and IT/OT integration”
• Other technologies that benefit Industry 4.0 and Smart Manufacturing include: IIoT end devices,
machine-to-machine (M2M) communication, big data analytics, advanced robotics, artificial
intelligence (AI), machine learning (ML), predictive maintenance, real time monitoring, advanced
loss analytics, cloud computing, additive manufacturing, and augmented reality
Industry 4.0 – Cybersecurity Challenges and Recommendations– May 2019 ENISA Paper
https://www.enisa.europa.eu/publications/industry-4-0-cybersecurity-challenges-and-
recommendations
32 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company?
Why Should Lawyers Care?
• Organization may have a duty to protect certain information types and that will include
understanding security threats and mitigating them
• Lawyers themselves have ethical obligations to keep their Clients’ Confidences so must
understand how this new technological capability impacts ability to protect the
confidentiality and integrity of data
• Protecting privacy means understanding the data flows of the devices and architecting
business process (and protections) to ensure privacy requirements are met
• Effectively being able to manage and assess corporate risk, protecting privilege, and
ensuring containment and remediation occur properly during a security incedent/breach
necessitates having an incident response plan and communication structure with legal
playing a central role.
33 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company?
Why Should Lawyers Care?
American Bar Association Standing Committee on Ethics and Professional
Responsibility, Formal Opinion 477 Securing Communication of Protected Client
Information (May 11, 2017)
https://www.americanbar.org/content/dam/aba/administrative/law_national_security
/ABA%20Formal%20Opinion%20477.authcheckdam.pdf
– Understanding the nature of the threat . . .proprietary information in highly sensitive industries such as
industrial designs, mergers and acquisitions or trade secrets, and industries like healthcare, banking,
defense or education, may present a higher risk of data theft . . . Every access point is a potential entry
point for a data loss or disclosure . . . Each access point, and each device, should be evaluated for
security compliance.
– A lawyer generally may transmit information relating to the representation of a client over the Internet
without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable
efforts to prevent inadvertent or unauthorized access.
34 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company?
Why Should Lawyers Care?
American Bar Association Standing Committee on Ethics and Professional
Responsibility, Formal Opinion 483 Lawyers’ Obligations After an Electronic Data
Breach or Cyberattack (October 17, 2018)
https://www.americanbar.org/content/dam/aba/administrative/professional_responsi
bility/aba_formal_op_483.pdf
– Even lawyers who, (i) under Model Rule 1.6(c), make “reasonable efforts to prevent the . . . unauthorized
disclosure of, or unauthorized access to, information relating to the representation of a client,” (ii) under
Model Rule 1.1, stay abreast of changes in technology, and (iii) under Model Rules 5.1 and 5.3, properly
supervise other lawyers and third-party electronic-information storage vendors, may suffer a data
breach. When they do, they have a duty to notify clients of the data breach under Model Rule 1.4 in
sufficient detail to keep clients “reasonably informed” and with an explanation “to the extent necessary to
permit the client to make informed decisions regarding the representation.”
35 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company?
• American Bar Association Model Rule 1.1 Competence:
• Comment [8]
• To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. (EMPHASIS ADDED)https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_1_competence/comment_on_rule_1_1/
• American Bar Association Model Rule 1.6 Confidentiality of Information:
• Comment [18]
• . . requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties . . . reasonableness of lawyers efforts . . . sensitivity of information . . . the cost of employing additional safeguards . . . (EMPHASIS ADDED)https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_6_confidentiality_of_information/comment_on_rule_1_6/
36 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company?
Lawyers and Incident Response Plan
• In order to have an accurate risk assessment, reviews happen at functional and leadership levels.
o Legal should be involved at each level to provide 1. legal risk assessment, and 2. help “manage” competing interests
• Legal should designate an incident response coordinator who manages incidents
o Helps preserve privilege
o Assists in the management of communication streams
▪ What gets communicated and to whom
o Should be involved in each functional assessment
▪ Let technical teams perform their analysis but assist and guide as necessary – narrow scope as needed
▪ Technical knowledge is preferred but not necessary
▪ Need to understand both business and technical impacts by having detailed operational knowledge and comprehension of threat landscape.
37 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company?
Insurance Companies and IoT
• HOW INSURANCE COMPANIES ENGAGE IN THE INTERNET OF THINGS McKinsey & Company, Digital ecosystems for insurers: Opportunities through the Internet of Things (February 2019) https://www.mckinsey.com/industries/financial-services/our-insights/digital-ecosystems-for-insurers-opportunities-through-the-internet-of-things
• Four attractive and relevant digital ecosystems: Mobility/Connected Car; Smart Housing; Connected Health; and Commercial Lines (product innovation, distribution excellence, risk prevention . . supplier network management)
• INSURANCE—NOT JUST FOR COMPANIES Swiss Reinsurance Company Ltd, Personal cyber insurance: Protecting our digital lives (2019) https://www.swissre.com/dam/jcr:68e4d8fb-509c-4182-a219-c803f7d23af1/ZRH-18-00632-P1_Personal_cyber_insurance_Publication_WEB.pdf
• “ . . predicted that by 2030 there will be around 125 billion IoT devices globally, which represents a huge potential for cyberattacks . . .From identity theft, to hacking of subscription services and IoT home devices, the list of cyber risks people, and not just organisations, are facing is growing all the time as the cyber threat landscape metastasizes rapidly.”
38 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company?
Insurance Coverage Considerations
• Kelly A. Williams, The Future Is Here: The Internet of Things and the Law HOUSTON HARBAUGH https://www.hh-law.com/Articles/Insurance-Coverage-and-Bad-Faith-Articles/The-Future-Is-Here-The-Internet-Of-Things-And-The-Law.shtml
• “The IoT also raises a variety of insurance coverage issues . .whether a defective product claim arising from the IoT will qualify as an ‘occurrence’ . . the ‘products-completed operations hazard’ exclusion applies for liabilities arising from ‘work that has not yet been completed or abandoned.’ This begs the question of whether an IoT product is ever complete if it requires updates.”
• Catherine Serafin, A Policyholder’s Guide to IoT Claims Coverage RISK MANAGEMENT (February 2018) http://www.rmmagazine.com/2018/02/01/a-policyholders-guide-to-iot-claims-coverage/
• Tyler Gerking & David Smith, Are You Covered for California’s New IoT Laws? POLICYHOLDER PERSPECTIVE: Insights and Issues in Commercial Insurance Coverage (January 2019) https://www.farellacoveragelaw.com/2019/01/covered-californias-new-iot-laws.html/
39 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company?
Insurance Coverage Considerations
• Luke M. Schwenke, Insuring Against Unknown Cyber Attacks in the Age of IoT JOURNAL OF REINSURANCE 2019 Volume 26, Number 1 https://www.wm.edu/as/charlescenter/_documents/schwenkewinningessay.pdf
• Robert Parisi, Managing Director and Cyber Product Lead at Marsh Inc., believes, ‘the question of whether or not these insurance terms and conditions address IoT-related losses is one of the most interesting issues in the marketplace right now.’ There is a lot of debate as to what type of insurance policy will even cover these types of risk – will it reside with a cyber, property, or some other policy?
• AIG/Lex Baugh, Getting Hacked: IoT and Beyond RISK+INNOVATION 2018https://www.aig.com/content/dam/aig/america-canada/us/documents/innovative-tech/getting-hacked-iot-and-beyond.pdf
• The collaboration between Risk Managers and CISOs, and among them and other business leaders from across the company, should mirror the complexity and interconnectedness of attacks themselves.
40 Edit presentation title on Slide Master using Insert > Header & Footer
The Internet of Things (IoT) and Cybersecurity: Is Your Phone Hacking Your
Company?
Role of In-House Counsel vs. Outside Counsel
• Understanding the Risks to be addressed:
• Data Breach
• IoT Ransomware
• Distributed Denial of Service Attacks (Victim; Unwitting Perpetrator)
• Privacy Harms
• Cyber-Physical Injury and/or Property Damage
• IoT Supply Chain –Interconnectedness and Liability
• Regulatory Concerns
• Reputational Harm/Brand Impact
• Potential Claims based on Negligence; Strict Liability; Consumer Protection Statutes
