Cybersecurity 2014 by Andrea Almeida - Session #651

© Copyright 2012, Horzepa Spiegel & Associates, PC.

September 26, 2014

Cybersecurity 2014: The Impact of Policies and Regulations on CompaniesBy Andrea Almeida

© Copyright 2012, Horzepa Spiegel & Associates, PC.© Copyright 2012, Horzepa Spiegel & Associates, PC.

Agenda

1. Introduction

2. Understanding the Threats

a. Advanced Persistent Threats

b. Trade Secret Theft/Industrial Espionage

c. Data Breaches

d. Cyber Vandalism

3. The United States Legal & Policy Environment

4. Responding to a Cyber Incident

5. Conclusion


I - Introduction

• Cybercrime has become an item of international focus – hackers fromall parts of the globe.

• Businesses face unique difficulties not only addressing cyber securitybut also mitigating cyber crime.

• Cost of handling cyber issues: Report from the Center for Strategicand International Studies – cybercrime costs the US economy $100billion on an annual basis.

• Reputational Damage is one of the greatest risks and impossible tobuy back


II - Understanding the Threatsa. Advanced Persistent Threats (“APT”)

ü Highly sophisticated, professional intrusions into secure networks

ü Typical techniques include spear-phishing and social engineeringcombined with zero-day exploits

ü Typical perpetuator suspected to be nation-states

ü Ex1: Recent case study: purportedly Chinese People’s LiberationArmy Unit 61398 devoted to cyber warfare and cyber espionage.

ü Ex 2: US Senate panel: found hackers associated with the Chinesegovernment have repeatedly infiltrated the computers systems ofUS airlines, technology companies and US military contractors.


b.Trade Secret Theft/Industrial Espionage

ü The vast majority involved insiders. Theft on behalf of foreigncorporations is common (over 30%) but can come fromdomestic sources too.

ü Thieves often highly educated or senior employees (onedefendant was a Nobel Prize nominee). Examples:ü United States v. Pani, No. 4:08-CR-40034 (D. Mass. 2008) –

Intel employee stole processor designs from her company tobenefit competitor AMD

ü Dongfan Greg Chung (US v. Chung, 8:08-CR-00024 (NDCal2008)) – Sent over 300,000 pages of documents on thespace shuttle, Delta IV Rocket, F-15 Fighter, B-52 Bomberand Chinook helicopter to China over 30 years. Sentencedto imprisonment for 15 years, 8 months


c. Data Breaches

ü From 2005 to present = 607 million usernames, passwords,bank account numbers, credit card numbers, social securitynumbers, phone numbers, or mailing addresses have been lost,stolen, or compromised.

ü 47 states states have data breach notification laws exceptAlabama, New Mexico and South Dakota.

ü Most breaches involve dozens of different state laws

ü Costs of response and remediation can be tens of millions ofdollars.


d. Cyber Vandalism

ü Attackers are generally unknown and motivated by socio-politicalagenda or personal amusement

ü Attacks typically are limited to defaced web pages, but other attackscan be devastating.

ü Ex 1: Sony Playstation hack – some have speculated that the attack wasretaliation for perceived unfair business practices by Sony.

ü Ex 2: Doxxing, which is the release of private information online.


III -The U.S. Legal & Policy Environment

•2013 Executive Order on Improving Critical Infrastructure Cybersecurity

•Cyber Intelligence Sharing and Protection Act of 2013 (“CISPA”)

•Cyber security Act of 2013

•National Cyber security and Critical Infrastructure Protection Act of2014 (“NCIP”)

•Personal Data Privacy and Security Act of 2014.

•Data Security Act of 2014


Executive Order on Improving Critical Infrastructure Cyber security

• Creation of Cybersecurity Framework: voluntary program includesincentives

• Information sharing and Identification of critical infrastructure forwhich a cyber security attack could have catastrophic effects

• Agencies to determine whether existing regulations are sufficientand take regulatory action to address deficiencies

• Use of the federal procurement process to encourage contractorsto enhance information security practices.

• Consideration of privacy and civil liberties issues.


Cyber Security Framework created by NIST

• NIST worked with Critical Infrastructure (“CI”) owners andoperators ie trade associations, public & private sector organizations

• To develop a voluntary, risk-based framework to promote andenhance the security and resiliency of CI and

• To help organizations, regardless of industry sector or size, tomanage cyber risk.

• Is intended to be voluntary and flexible.

• Not intended to replace existing sector standards or to add anunnecessary layer on existing standards and practices.


The Framework is composed of:

• Framework Core, a set of cyber security activities andoutcomes applicable across all Critical Infrastructure sectors

• Framework Profile, which allows organizations to apply cybersecurity activities to its unique business requirements, risktolerances and resources and

• Framework Implementation Tiers, which allow anorganization to gauge its cyber security by comparing

characteristics and approaches to managing cyber risks.


Data Security Rules

• Federal Law• Fair Credit Reporting Act (“FCRA”)• Gramm-Leach-Bliley Act (“GLBA”)• Children’s Online Privacy Protection Act (“COPPA”)• Health Insurance Portability and Accountability Act

(“HIPAA”)• Health Information Technology for Economic and Clinical

Health (“HITECH”)• Fair and Accurate Credit Transactions Act

(“FACTA”)Disposal Rule• FTC Act


Data Security Rules Cont….

• State Requirements• Data Breach notification laws• Data Security laws – require business to maintain data

security standards to protect state residents’ personalinformation from being compromised.

• Industry Standards• PCI DSS• ISO• NIST


SEC Cybersecurity Guidance

• Companies are not disclosing enough.

• Vast majority of companies that addressed cyber issues used onlyboilerplate language.

• [B]oards must take seriously their responsibility to ensure thatmanagement has implemented effective risk management protocols.Boards of directors are already responsible for overseeing themanagement of all types of risk, including credit risk, liquidity risk,and operational risk and there can be little doubt that cyber-risk also must beconsidered as part of board’s overall risk oversight. The recent announcementthat a prominent proxy advisory firm [Institutional ShareholdersServices (ISS)] is urging the ouster of most of the Target Corporationdirectors because of the perceived “failure…to ensure appropriatemanagement of [the] risks” as to Target’s December 2013 cyber-attack is another driver that should put directors on notice toproactively address the risks associated with cyber-attacks. By LuisAguilar, SEC Commissioner


IV – Responding to a Cyber Incident

1.First Steps:

a. Understand and identified unusual behavior

a. Don’t disregard threat notifications from law enforcement

a. Begin to assess the nature of the attack

a. Consider insurance and notify quickly.


2. Conduct an Investigationa - Assess potentially significant legal ramifications

b - Understandi. Nature of the compromiseii. Data and systems at issueiii.Whether communications systems are secureiv.Whether insiders are involved

c - Whether to retain third party forensic expert

d - Preserve privilege by involving Legal

e - Consider forensic imaging

f - Restore the integrity of the system


3. Coordination with Regulators and Law Enforcement

ü Law enforcement often has a broader view into cyber threats

ü Establish an early line of communication

ü Assess whether the new obligations resulting from enhancedinformation-sharing are applicable to your company

ü Determine the most appropriate agency.

ü Depends on the nature of the compromise local, federal andinternational Law enforcement may be necessary


4. Legal Considerationsa. Understand your legal obligations arising out of a Cyber event

1. Legal hold2. Breach notification and other obligations

ü State, Federal and International Lawü Industry Standardsü Contractual Obligationsü SEC reporting

b. Proactive Measures1. Offensive Llitigation2.Active Defense Strategy


5. Notification Processa. Where appropriate or required craft formal notification and

reporting documentsü Must be done carefully (and quickly)ü Consider hiring a PR expert

b. Take proactive measures to mitigate risksü Manage media responseü Assemble call centerü Develop FAQs and train agentsü Consider identity protection service


6. Risk and Disputes Managementa. Assist law enforcement with criminal prosecution of attackers

a. Defend against legal actionsü Regulatory enforcement: State and Federalü Class Action Litigation

b. Manage disputes with business partners and other third parties

a. Manage insurance claims


7. Good Cybersecurity Practices

a. Engage senior management. Cybersecurity is a governance issue.

a. Identify and classify sensitive data

a. Develop written information security policies and procedures

a. Continually assess status of technical and physical protections

a. Maintain (and practice) incident response plan

a. Manage employee and vendor risks

a. Train employees and increase awareness


THANK YOU!!!

Presentations & Public Speaking

Cybersecurity 2014 by Andrea Almeida - Session #651