dealing with cyber risk & cyber regulations · pdf file · 2017-02-01dealing...

DEALING WITH CYBER RISK & CYBER REGULATIONS

NJICLE – FEBRUARY 1, 2017

Ryan J. Cooper, Esq., CIPP/US, Law Office of Ryan J. Cooper LLC

Rob Kleeger, Managing Director, Digital4nx Group, Ltd.

Adam Abresch, Vice President, The Signature B&B Companies

DEALING WITH CYBER RISK & CYBER REGULATIONS

The Changing Regulatory Landscape: NY DFS Proposed 23 NYCRR 500

The Changing Risk Landscape: Ransomware Attacks

THE CHANGING REGULATORY LANDSCAPE

NY DFS Proposed 23 NYCRR 500

Public comment: November 14, 2016; January 17, 2017

Effective March 1, 2017

Proposed 180 Day Compliance Period:Monday, August 28, 2017


Who is a Covered Entity?Every business “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization” under NY’s banking, insurance or financial services law.

Proposed 23 NYCRR § 500.01(c)


Limited Exceptions: Fewer than 10 employees, incl. independent contractors; Less than $5 million in gross annual revenue for each of last

three years; or Less than $10 million in year-end total assets, as calculated with

GAAP.Proposed 23 NYCRR § 500.19


Cybersecurity Program

Third Party Information Security Policy

Limits on Access Privileges Enforcement by

Superintendent of DFS

Cybersecurity Policy Limitations on Data

RetentionNotices to DFS of

Cybersecurity EventsAnnual Risk Assessment


Who is Impacted?“Each Covered Entity shall . . . ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.”

Proposed 23 NYCRR § 500.11(a)


Who is Impacted? Outside Counsel

Accountants

IT Services: cloud service providers, data processors, etc.

COMPREHENSIVE CYBERSECURITY PROGRAM

Must ensure: confidentiality; integrity; and availability of Information Systems

Six Core Functions: Identify

Defend

Detect

Proposed 23 NYCRR § 500.02

Respond

Recover

Report

COMPREHENSIVE CYBERSECURITY POLICY

Must be written policies and procedures for protection of Information Systems.

Must address fourteen specific areas.

Must be reviewed and approved by Board annually.


CYBERSECURITY PERSONNEL

Chief Information Security Officer:

Annual report to Board assessing the Cybersecurity ProgramProposed 23 NYCRR § 500.04

Must employ cybersecurity personnel to manage 6 core functions of the Cybersecurity Program in § 500.02(b)


ASSESSING THE CYBERSECURITY PROGRAM

Periodic vulnerability assessments

Periodic penetration testingProposed 23 NYCRR § 500.05

Periodic risk assessments documented in writing

Must evaluate risks; assess adequacy of controls; and document decisions to mitigate or accept risk


AUDIT TRAILS & RECORDS MANAGEMENT

Audit trail for 5 years:

Permit reconstruction of material financial transactions

Log systems events, incl. access and changes to audit trail systems

But . . . must also timely destroy Nonpublic Information

Proposed 23 NYCRR § 500.06 & .13

ADDITIONAL TECHNICAL PROVISIONS

Must implement Multi-Factor Authentication for external access or privileged access

Must implement Risk-Based Authentication to access web applications that include Nonpublic Information

Must encrypt Nonpublic Information at rest and in transit to the extent feasible

Must establish written incident response plan for Cybersecurity Events

ETHICAL ISSUES

N.J. RPC 1.1 - Competence:

A lawyer shall not:

(a) handle or neglect a matter entrusted to the lawyer in such a manner that the lawyer’s conduct constitutes gross negligence;

(b) exhibit a pattern of negligence or neglect in the lawyer’s handling of legal matters generally.

ETHICAL ISSUES

Model Rule 1.1 – Competence

A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.

Comment 8: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology . . . .

ETHICAL ISSUESN.J. RPC 1.6(a) - Confidentiality of Information:

A lawyer shall not reveal information relating to representation of a client unless the client consents after consultation . . . .

N.J. R.P.C. 1.15(a) – Safekeeping Property

A lawyer shall hold property of clients or third persons that is in a lawyer's possession in connection with a representation separate from the lawyer's own property.

N.J. R.P.C. 1.16(d) – Declining or Terminating Representation

Upon termination of representation, a lawyer shall . . . surrender[] papers and property to which the client is entitled . . . .

ETHICAL ISSUES

N.J. Advisory Committee Opinion 701 (Apr. 24, 2006) &

N.Y. State Bar Association Ethics Opinion 842 (Sept. 10, 2010)

RPC 1.6 requires affirmative steps to maintain confidentiality, including proper destruction of files.

Reasonable care requires:

Third-party has enforceable obligation to maintain confidentiality;

Due diligence of third-party’s security measures, recovery methods, and disposal methods; and

Technology to guard against reasonably foreseeable threats.

ETHICAL ISSUES

N.J. Advisory Committee Opinion 701 (Apr. 24, 2006) &

N.Y. State Bar Association Ethics Opinion 1019 (Aug. 6, 2014)

Affirms requirements for ensuring reasonable care set forth in Opinion 842

Recognizes that cybersecurity threats extend to personal privacy, trade secrets, business plans, and other proprietary information

Emphasis is on affirmative duty to review and consider adequacy of security measures

ETHICAL ISSUES

http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/ cloud-ethics-chart.html

Thank You / Break

Ryan J. Cooper, Esq., CIPP/US, Law Office of Ryan J. Cooper [email protected] / 908-514-8830

Rob Kleeger, Managing Director, Digital4nx Group, [email protected] / 973-699-0167

Adam Abresch, Vice President, The Signature B&B [email protected] / 516-823-3101

Dealing with Cyber Risk and Cyber Regulations

Part II - Ransomware

How Do We Generate Business?

• Inform, Educate, Add Value

• Technical Ability – Passion – Commitment to Excellence

• Trust – Respect – Prowess – Price

• Experience – History – Talent

• Long term trusted referral relationships and “word of mouth”

When it comes to Firm or Client Size…Size Doesn’t Matter

Scenario

It is not just what you see in the News

– You may have noticed a lot of stories in the news on hackers and cybercrime

– It is even more widespread: The media only covers noteworthy events, but everyone is under attack

• Attacks are more likely to be against companies like yours• 72% of attacks are against Small to Mid-sized Businesses

• These numbers are trending towards smaller businesses as larger companies dedicate more resources toward IT Security

Are Lawyers A Target For Hackers? (Spoiler Alert: Yes)

“If you’re not scared, you’re not paying attention.”

For years, the FBI warns that hackers get major cash for intellectual property and customer data.

February 2016 a large law firm’s vendor was hacked, revealing current and former employees’ personal data, including tax information, Social Security numbers, passport information, and other federal data.

Law firms have been a primary target…Why?

The Universal Problem

A Definition Of Ransomware

Ransomware is a form of malware that encrypts files on an infected device and holds them hostage until the user pays a ransom to the malware operators.

Today, common strains of ransomware include Cryptolocker (isolated in 2014), Cryptowall, Locky, and Samas or Samsam.

How Ransomware WorksTypically, a ransomware attack consists of four stages:

(1) Infection with ransomware,(2) Activation of ransomware,(3) Request for ransom,(4) Payment of a ransom.

Ransomware Delivery methods include:

• Traffic distribution system. A TDS will redirect web traffic to a site, which hosts an exploit kit. Some hackers may hire a TDS to spread their ransomware.• Malvertisement. In this case, a malicious advertisement would take a user to a malicious landing page if clicked on.• Phishing email. Phishing scams are the most common way to disseminate malicious content. A single click on a malicious link or attachment could compromise an entire network.• Downloaders. Downloaders deliver malware into systems in stages, which makes it harder to recognize the malicious intent by signature-based detection.• Social engineering. Social engineering relies on maneuvering users into breaking their own security protocols to introduce the malware into their system.• Self-propagation. Self-propagating ransomware will have a functionality that supports its continual spread throughout a system.• Ransomware-as-a-service. Experienced hackers may outsource their successful malware to less technically adept cyberattackers.

According to the Institute of Critical Infrastructure Technology

Data is either…

In Motion -> such as being emailed

- or –

At Rest -> such as stored on your hard drive

It can be vulnerable and you need to be careful in both situations

Lets talk Technical…..

• Protecting data-in-motion is a complex challenge. The Internet provides cheap global communication, however it has little built-in security.

• Most communications are sent in clear-text, meaning anyone who gains access to the info can easily read it.

• Developers are pressured to “make it work” and meet tight deadlines

• Most technology is built with security as an afterthought.

• Functionality and Ease-of-use are deemed top priority, which automatically makes security secondary

Data-in-Motion

Security breaches are typically made far worse when the attackers find troves of data in users’ stored emails and files

Such as:

• Passwords sent-to/received-from others• Confidential data/reports/financials emailed around• Files with passwords stored unencrypted

Data-at-Rest

• Lack of strong passwords

• IT upgrades and/or migrations

• Human error

• Lack of proper controls or data governance

• …BYOD, Social Media, The Cloud, The Internet of Things

Are People the weakest link?

Cyber Threats

• You are on your way into work and you spot a USB thumb drive on the ground. It has your company’s logo on it.

• You pick it up and decide to see what's on it so you can figure out who it belongs to and return it to them.

• You plug it into your computer and there are no files or anything else that you can find that identifies the owner.

• You keep the USB drive for your own use, and end up also plugging it into your laptop and home computer at later dates.

Hypothetical Situation

64 Gigabytes

You’ve been hacked!

Social Engineering

Social engineering is the art of manipulating people into performing actions or divulging sensitive information. Rather than breaking into computer networks or systems, social engineers use psychological tricks on humans.

• Poses as a trusted authority• Might already have information to use to prove they

trustworthiness.• Clicking unknown website links/pop-ups and responding to

phishing emails.• May use different methods like phone, email, or websites or a

combination of these.• Remain mindful!

• A law firm in transferred $387,000 to a bank after it closed a real estate deal. • The victim organization had been infected with keystroke logging software. • Cybercriminals transferred funds from the law firm’s bank, which transferred the

funds to a bank in New York and then to a bank in Moscow.

This is NOT perception…but a Reality!

• An attorney opened an attachment.• Malware was installed on his computer.• Hours later $289,000 had been transferred from his firm’s account to a bank in

China.

URL’s• Links can be tricky to notice when they are not legitimate

– www.paypal.com.091n93un91n1iicm1.ncq93p9nco.us/nqcivqoijn/creditinfo/• Look again, that is not paypal.com, It is a subdomain of ncq93p9nco.us

– www.bankoffamerica.com• Seems like it could be their site with a quick glance, but it has a slight typo and is a fake

– www.yourcompanyinc.com• Seems like your company’s site, but the INC at the end is wrong; your site is yourcompany,com

• Mini URLs

– There are legitimate services, such as Tiny URL, Bitly and Google URL shortener, which people use to shorten long complicated links so they are shorter to embed in emails

– Hackers can use these services to get you to access a link without you knowing where you are being taken to. Be wary!

Best Practices For Better Data Security

What to Do After a Ransomware Attack… Plan, Pray, or Pay?• Law firms of all sizes are vulnerable to ransomware.

• Small law firms which lack financial resources necessary for the development of comprehensive security programs are especially susceptible to information security attacks.

According to FBI Cyber Division Assistant Director James Trainor…

“These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”

“Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

Defenses against Ransomware:

• Block executable files (such as “.exe” files) and compressed archives (such as zip files) containing executable files before they reach a user’s inbox.

• Keep operating systems, browsers and browser plug-ins, such as Java and Silverlight, fully updated.

• Program hard drives on your computer network to prevent any unidentified user from modifying files.

• Regularly back up data with media not connected to the Internet.

• Finally, for end users and organizations alike, awareness and education are key to protecting against ransomware attacks. By educating yourself and your users on basic protection practices and keeping up with current security threats, you can mitigate the risk of ransomware and keep your data safe.

Security software isn’t bulletproof• No anti-virus, anti-malware, firewall or other security application is fool-proof• Anti-virus programs can only detect known malware or anomalous signatures

in software and files, but new strains are always being developed• “Polymorphic” viruses keep changing themselves so they cannot be

detected by their signature• “Zero-Day” exploits are exploits that are being used that no one but the

malicious entity knows exists, and thus, anti-virus programs cannot protect you since they are not aware of the threat

• You must be diligent and careful of what sites you visit, what documents you open, and what files you download

You don’t need to be a techie to be secure

• The goal of these educational seminars is not to try to make you a techie who has in-depth knowledge of how to secure an I.T. infrastructure

• You can rely-on and use your I.T. department to assist you• But, you do need to understand the importance of information security and

the dangers of it being compromised• And, you do need to understand what the best practices are for end-users

and ensure that you follow them

The most common threat

• Passwords are the most common security mechanism used in technology• They are also the most common item attacked• Ensuring that you abide by password best-practices will help protect you

and your organization

25 Most Popular PasswordsRaise your hand if you use

one of these…

Here is how long it takes to crack passwords of various complexities:

6 Alpha characters (e.g. monkey) – 1 second6 Alpha-Numeric characters (e.g. abc123) – 1 second8 Alpha characters (e.g. password) - 1 minute8 Alpha-Numeric characters (e.g. trustno1) - 11 minutes8 Alpha-Numeric + Special characters (e.g. tr1cky!! ) - 3 hours8 Upper & Lowercase, Numbers + Special (e.g. Tr1cky!! ) - 3 days10 Upper & Lowercase, Numbers + Special (e.g. I'mTr1cky! ) - 58 years

For example, My son's birthday is 12 December, 2004 could become Mi$un's Brthd8iz 12124, which would make a good passphrase.

*Based on the processing power of a desktop PC. These time can be sped up if a hacker has more powerful servers or resources. Your password can also be easier to crack if you use dictionary words or a commonly used password.

Speed to crack passwords

• Do not use names, dates, or dictionary words.• Use long passphrases which are easy to

remember.• Length matters. Passwords should be at least 8

characters and contain numbers, capital letters and symbols.

• Change passwords on at least a quarterly basis.• Always used two-factor authentication if offered

by the provider.• Never use the same password in different

accounts.• Use http://www.passwordmeter.com/ and

https://www.grc.com/haystack.htm to assess the strength of your passwords.

Passwords – Best Practices

Rules

• Don’t write your password down on a sticky-note attached to your screen

• Don’t keep your passwords written in a text file on your computer

• Don’t write them down in plaintext anywhere!• Instead, Use secure pass-phrases that you can

remember, or• Use an encrypted password storage program, like

KeePass or LastPass

How to store

Multi-Factor / Two-Factor Authentication

• Authentication is either:– Something you know (like a password or PIN)– Something you have (like your cellphone or ATM card)– Something you are (like your fingerprint)

• Passwords are the common form used• Adding a second factor greatly increases security• A common option being used now is to send a code via text to your cell

phone (something you have) and asking for that in addition to your password (something you know)

• Turn on 2-Factor Authentication for added security, especially with email accounts, bank accounts, and other sensitive accounts

Be cautious and wary

– Many attacks rely on tricking the user and playing on their lack of suspicion.

– Don’t be the low-lying fruit; attacks are often aimed at the easiest prey and criminals will move along to another target if they encounter defenses.

– When in doubt, play it safe. Ask someone if you are not sure.All it takes is one mistake. Be naturally cautious and wary.

Rules

• Do not give out your access credentials to anyone• Do not allow people to enter secure areas without credentials• Do not click on links in emails unless you are 100% certain they are legitimate• Understand that you are in control of access credentials and information

that is valuable to an attacker• Do not be afraid to say “Sorry, I cannot help” or “Sorry, I need to check on

this with someone first”• If unsure, ask a superior or someone in the I.T. Department• Always BE WARY

Cybersecurity: Top Tips for Keeping Data Safe

Conduct Independent Ethical Hacking Assessment:• An attack your network and computer systems using real-world

tools and techniques in order to find security weaknesses.

Assessment Objectives:• Uncover vulnerabilities• Provide a road-map for making your networks secure• Identify the sensitive information • Greatly increase your level of security

Develop a Breach Response Plan:• Formulate a Data Breach Response Plan• Crisis Response Team (internal and external)• Conduct breach response drills annually• Media/PR Strategy

Cybersecurity: Top Tips for Keeping Data Safe

Security software isn’t bulletproof: • No anti-virus, anti-malware, firewall or other security

application is fool-proof. • You must be diligent and careful of what sites you visit, what

documents you open, and what files you download.

Training:• Users should be considered the first line of defense in any

security infrastructure.• A robust training program that will heighten users’ sensitivity

to phishing attempts and other exploits.

Insure:• Consider cyber risk policy to augment existing coverages.

What is at risk?

Ransomware

Hollywood Presbyterian

INSIDER THREATS

Malicious and/or disgruntled Employees

*This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond. It is not a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law. Availability of coverage referenced in this document can depend on underwriting qualifications and state regulations

Any Questions ???

DISCLAIMER: These slides are made available for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. This information should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. While we try to make sure that all information is accurate at all times, we are not responsible for typographical and other errors that may appear; however, it is your responsibility to verify with that all details listed are accurate.

Ryan J. Cooper, Esq., CIPP/US, Law Office of Ryan J. Cooper [email protected] / 908-514-8830

Rob Kleeger, Managing Director, Digital4nx Group, [email protected] / 973-699-0167

Adam Abresch, Vice President, The Signature B&B [email protected] / 516-823-3101

Contact Us:

dealing with cyber risk & cyber regulations · pdf file · 2017-02-01dealing...

Documents