criminal network intrusion and data theft
TRANSCRIPT
CRIMINAL NETWORK INTRUSION ANDDATA THEFT:
Today’s Security Landscape and What to Do If You’veBeen Compromised
TUESDAY, MAY 24, 2011
Alston & Bird LLP
PricewaterhouseCoopers
Silverpop
Data Breach Seminar
Alston & Bird
May 24, 2011Presented byKimberly Peretti,PricewaterhouseCoopers LLP
www.pwc.com
PwC
Agenda
Cyber threat landscape
Anatomy of a targeted cyber attack
Trends
2March 2011
PwC
Cyber threat LandscapeWho are they & what do they want
3March 2011
PwC
Targeted cyber intrusionsWho are they
4March 2011
PwC
Targeted cyber intrusionsWhat do they want
5March 2011
PwC
Profile of Cyber Criminals – the Albert Gonzalezconspiracies
In the US
Young kids
Self-taught computer skills
Self-taught bankers
Drugs
No formal education after high school
In Eastern Europe
Young kids with privileged backgrounds
Smart investors
Best formal computer training programs
6
PwC
Insider ThreatData theft/leakage vectors
7January 2011
PwC
Insider Threat
8March 2011
Influencers
1. Foreign intelligence services
2. Corrupt competitors
3. “WikiLeaks” web sites
4. Personal financial distress
5. Notification of lay-off
6. Work disenchantment
7. Unresolved work conflict
Statistics say
1. Digital > physical
2. Onsite > remote access
3. Normal business hours > off hours
4. Theft committed within 30-60 days of departure
PwC
Anatomy of a targeted cyber attackSoP
9March 2011
PwC 10March 2011
PwC
Trends
11March 2011
PwC
Assume a state of compromiseTargeted attacks cannot be prevented
12
Post - incidentthreatassessment
Response/Resolution
Lessonslearned/Remediation
Cyber threatintelligence
Planning/Training
Stakeholders • Legal• IT• Finance• Other Sr Execs• Others
Core Team • Incident TeamLeader
• Support staff• Updates to
stakeholders
InvestigativeTeam
• TechnicalTeam Leader
• Technologists/SMEs
Cyber Incident Management Lifecycle Cyber Incident Management Team
PwC
Cyber forensics
13
Evidence integrity
On site
Transportation
Storage
Evidence analysis
Forensic tools
Documentedprocedures
Documentedfindings
Evidence collection
Forensictools
Photos Log Chain ofCustody
CyberForensics
NetworkForensics
MalwareForensics
ComputerForensics
LiveMemory
Forensics
PwC
Cyber threat intelligence
14
Cyber ThreatIntelligence
Commercial3rd PartySources
Industryworkinggroups
FBIInfragard
USSSECTF
DHSUS-CERT
NetworkTrafficAnalysis
SpamAnalysis
MalwareAnalysis
Log Analysis
www.pwc.com/us/cyber
© 2011 PwC. All rights reserved. In this document, "PwC" refers to PricewaterhouseCoopersLLP, a Delaware limited liability partnership, which is a member firm ofPricewaterhouseCoopers International Limited, each member firm of which is a separatelegal entity. This document is for general information purposes only, and should not be usedas a substitute for consultation with professional advisors.
The Art and Science of Breach Notification
May 24, 2011
CRIMINAL NETWORK INTRUSION AND DATA THEFT:Today’s Security Landscape and What to Do If You’ve Been Compromised
WWW.ALSTON.COM
Escalation
Detection
Investigation
Notification
Remediation
Security Incident Management Process
WWW.ALSTON.COM
Why in the world would we want to disclose abreach to the public?
California – 2002 (effective 2003)
Political No-Brainer
47 states, DC and Puerto Rico
Federal standards for the financial services (GLB Act) and healthcare(HIPAA / HITECH Act) industries
PCI Data Security Standard
Comprehensive federal legislation proposed
WWW.ALSTON.COM
Do we have to notify?
Unauthorized Third Party Access
“Personal Information”
Encryption and Other Security Measures
Gramm-Leach-Bliley Act - Sensitive NPI
HITECH Act
PCI Data Security Standard – Payment card information
WWW.ALSTON.COM
Sequencing of Notice
Internal Investigation and Forensic Analysis
Law Enforcement
Regulator Community
State Authorities and Credit Bureaus
Affected Persons Non-required states
Sub-Class of Persons at Risk
GLB, HIPAA and PCI DSS
Press Release and Securities Considerations
WWW.ALSTON.COM
The Notice
Direct written notice or substitute notice
Describe the incident (MA makes this more difficult)
Describe the type of PI involved in the breach (MA standard)
Telephone contact information
Tips to reduce risk of identity theft (MA Security Freeze)
Credit bureau information
GLB, HIPAA and PCI DSS
WWW.ALSTON.COM
Strategy and Logistics
Threat Status and Systems “Hardening”
Public Relations Strategy
Communication Channels
Credit Monitoring Service
Printing and Publishing the Letters
WWW.ALSTON.COM
The Response
Q&A
Monitoring and Escalationof Contacts
Regulator Contacts
Network and SystemsMonitoring
WWW.ALSTON.COM
Outsourcers and Other Vendors
Supplier duty to notify the customer by statute
Notification and related obligations by contract
Timing
Disclosure to others
Audit rights
Allocation of risk and liability
WWW.ALSTON.COM
Checklist
Form an Internal Response Team to coordinate management of andresponse to the incident
Perform investigation
Third party forensic investigation support
Detailed chronological investigation report
Develop a public relations strategy
Assess NYSE/Nasdaq and SEC disclosure requirements
Establish call center resources
Notification standards, sequencing, delivery and response
Risk remediation/process improvement plan
CRIMINAL NETWORK INTRUSION AND DATA THEFT:Today’s Security Landscape and What to Do If You’ve Been Compromised
Full Spectrum Legal Issues in a Network Intrusion
May 24, 2011
Atlanta, Georgia
Title
Insert text
Insert text
Insert text