dealing with cyber risk & cyber regulations · pdf file · 2017-02-01dealing...
TRANSCRIPT
DEALING WITH CYBER RISK & CYBER REGULATIONS
NJICLE – FEBRUARY 1, 2017
Ryan J. Cooper, Esq., CIPP/US, Law Office of Ryan J. Cooper LLC
Rob Kleeger, Managing Director, Digital4nx Group, Ltd.
Adam Abresch, Vice President, The Signature B&B Companies
DEALING WITH CYBER RISK & CYBER REGULATIONS
The Changing Regulatory Landscape: NY DFS Proposed 23 NYCRR 500
The Changing Risk Landscape: Ransomware Attacks
THE CHANGING REGULATORY LANDSCAPE
NY DFS Proposed 23 NYCRR 500
Public comment: November 14, 2016; January 17, 2017
Effective March 1, 2017
Proposed 180 Day Compliance Period:Monday, August 28, 2017
THE CHANGING REGULATORY LANDSCAPE
Who is a Covered Entity?Every business “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization” under NY’s banking, insurance or financial services law.
Proposed 23 NYCRR § 500.01(c)
THE CHANGING REGULATORY LANDSCAPE
Limited Exceptions: Fewer than 10 employees, incl. independent contractors; Less than $5 million in gross annual revenue for each of last
three years; or Less than $10 million in year-end total assets, as calculated with
GAAP.Proposed 23 NYCRR § 500.19
THE CHANGING REGULATORY LANDSCAPE
Cybersecurity Program
Third Party Information Security Policy
Limits on Access Privileges Enforcement by
Superintendent of DFS
Cybersecurity Policy Limitations on Data
RetentionNotices to DFS of
Cybersecurity EventsAnnual Risk Assessment
THE CHANGING REGULATORY LANDSCAPE
Who is Impacted?“Each Covered Entity shall . . . ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.”
Proposed 23 NYCRR § 500.11(a)
THE CHANGING REGULATORY LANDSCAPE
Who is Impacted? Outside Counsel
Accountants
IT Services: cloud service providers, data processors, etc.
COMPREHENSIVE CYBERSECURITY PROGRAM
Must ensure: confidentiality; integrity; and availability of Information Systems
Six Core Functions: Identify
Defend
Detect
Proposed 23 NYCRR § 500.02
Respond
Recover
Report
COMPREHENSIVE CYBERSECURITY POLICY
Must be written policies and procedures for protection of Information Systems.
Must address fourteen specific areas.
Must be reviewed and approved by Board annually.
Proposed 23 NYCRR § 500.03
CYBERSECURITY PERSONNEL
Chief Information Security Officer:
Annual report to Board assessing the Cybersecurity ProgramProposed 23 NYCRR § 500.04
Must employ cybersecurity personnel to manage 6 core functions of the Cybersecurity Program in § 500.02(b)
Proposed 23 NYCRR § 500.10
ASSESSING THE CYBERSECURITY PROGRAM
Periodic vulnerability assessments
Periodic penetration testingProposed 23 NYCRR § 500.05
Periodic risk assessments documented in writing
Must evaluate risks; assess adequacy of controls; and document decisions to mitigate or accept risk
Proposed 23 NYCRR § 500.09
AUDIT TRAILS & RECORDS MANAGEMENT
Audit trail for 5 years:
Permit reconstruction of material financial transactions
Log systems events, incl. access and changes to audit trail systems
But . . . must also timely destroy Nonpublic Information
Proposed 23 NYCRR § 500.06 & .13
ADDITIONAL TECHNICAL PROVISIONS
Must implement Multi-Factor Authentication for external access or privileged access
Must implement Risk-Based Authentication to access web applications that include Nonpublic Information
Must encrypt Nonpublic Information at rest and in transit to the extent feasible
Must establish written incident response plan for Cybersecurity Events
ETHICAL ISSUES
N.J. RPC 1.1 - Competence:
A lawyer shall not:
(a) handle or neglect a matter entrusted to the lawyer in such a manner that the lawyer’s conduct constitutes gross negligence;
(b) exhibit a pattern of negligence or neglect in the lawyer’s handling of legal matters generally.
ETHICAL ISSUES
Model Rule 1.1 – Competence
A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.
Comment 8: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology . . . .
ETHICAL ISSUESN.J. RPC 1.6(a) - Confidentiality of Information:
A lawyer shall not reveal information relating to representation of a client unless the client consents after consultation . . . .
N.J. R.P.C. 1.15(a) – Safekeeping Property
A lawyer shall hold property of clients or third persons that is in a lawyer's possession in connection with a representation separate from the lawyer's own property.
N.J. R.P.C. 1.16(d) – Declining or Terminating Representation
Upon termination of representation, a lawyer shall . . . surrender[] papers and property to which the client is entitled . . . .
ETHICAL ISSUES
N.J. Advisory Committee Opinion 701 (Apr. 24, 2006) &
N.Y. State Bar Association Ethics Opinion 842 (Sept. 10, 2010)
RPC 1.6 requires affirmative steps to maintain confidentiality, including proper destruction of files.
Reasonable care requires:
Third-party has enforceable obligation to maintain confidentiality;
Due diligence of third-party’s security measures, recovery methods, and disposal methods; and
Technology to guard against reasonably foreseeable threats.
ETHICAL ISSUES
N.J. Advisory Committee Opinion 701 (Apr. 24, 2006) &
N.Y. State Bar Association Ethics Opinion 1019 (Aug. 6, 2014)
Affirms requirements for ensuring reasonable care set forth in Opinion 842
Recognizes that cybersecurity threats extend to personal privacy, trade secrets, business plans, and other proprietary information
Emphasis is on affirmative duty to review and consider adequacy of security measures
ETHICAL ISSUES
http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/ cloud-ethics-chart.html
Thank You / Break
Ryan J. Cooper, Esq., CIPP/US, Law Office of Ryan J. Cooper [email protected] / 908-514-8830
Rob Kleeger, Managing Director, Digital4nx Group, [email protected] / 973-699-0167
Adam Abresch, Vice President, The Signature B&B [email protected] / 516-823-3101
How Do We Generate Business?
• Inform, Educate, Add Value
• Technical Ability – Passion – Commitment to Excellence
• Trust – Respect – Prowess – Price
• Experience – History – Talent
• Long term trusted referral relationships and “word of mouth”
When it comes to Firm or Client Size…Size Doesn’t Matter
It is not just what you see in the News
– You may have noticed a lot of stories in the news on hackers and cybercrime
– It is even more widespread: The media only covers noteworthy events, but everyone is under attack
• Attacks are more likely to be against companies like yours• 72% of attacks are against Small to Mid-sized Businesses
• These numbers are trending towards smaller businesses as larger companies dedicate more resources toward IT Security
Are Lawyers A Target For Hackers? (Spoiler Alert: Yes)
“If you’re not scared, you’re not paying attention.”
For years, the FBI warns that hackers get major cash for intellectual property and customer data.
February 2016 a large law firm’s vendor was hacked, revealing current and former employees’ personal data, including tax information, Social Security numbers, passport information, and other federal data.
Law firms have been a primary target…Why?
A Definition Of Ransomware
Ransomware is a form of malware that encrypts files on an infected device and holds them hostage until the user pays a ransom to the malware operators.
Today, common strains of ransomware include Cryptolocker (isolated in 2014), Cryptowall, Locky, and Samas or Samsam.
How Ransomware WorksTypically, a ransomware attack consists of four stages:
(1) Infection with ransomware,(2) Activation of ransomware,(3) Request for ransom,(4) Payment of a ransom.
Ransomware Delivery methods include:
• Traffic distribution system. A TDS will redirect web traffic to a site, which hosts an exploit kit. Some hackers may hire a TDS to spread their ransomware.• Malvertisement. In this case, a malicious advertisement would take a user to a malicious landing page if clicked on.• Phishing email. Phishing scams are the most common way to disseminate malicious content. A single click on a malicious link or attachment could compromise an entire network.• Downloaders. Downloaders deliver malware into systems in stages, which makes it harder to recognize the malicious intent by signature-based detection.• Social engineering. Social engineering relies on maneuvering users into breaking their own security protocols to introduce the malware into their system.• Self-propagation. Self-propagating ransomware will have a functionality that supports its continual spread throughout a system.• Ransomware-as-a-service. Experienced hackers may outsource their successful malware to less technically adept cyberattackers.
According to the Institute of Critical Infrastructure Technology
Data is either…
In Motion -> such as being emailed
- or –
At Rest -> such as stored on your hard drive
It can be vulnerable and you need to be careful in both situations
Lets talk Technical…..
• Protecting data-in-motion is a complex challenge. The Internet provides cheap global communication, however it has little built-in security.
• Most communications are sent in clear-text, meaning anyone who gains access to the info can easily read it.
• Developers are pressured to “make it work” and meet tight deadlines
• Most technology is built with security as an afterthought.
• Functionality and Ease-of-use are deemed top priority, which automatically makes security secondary
Data-in-Motion
Security breaches are typically made far worse when the attackers find troves of data in users’ stored emails and files
Such as:
• Passwords sent-to/received-from others• Confidential data/reports/financials emailed around• Files with passwords stored unencrypted
Data-at-Rest
• Lack of strong passwords
• IT upgrades and/or migrations
• Human error
• Lack of proper controls or data governance
• …BYOD, Social Media, The Cloud, The Internet of Things
Are People the weakest link?
Cyber Threats
• You are on your way into work and you spot a USB thumb drive on the ground. It has your company’s logo on it.
• You pick it up and decide to see what's on it so you can figure out who it belongs to and return it to them.
• You plug it into your computer and there are no files or anything else that you can find that identifies the owner.
• You keep the USB drive for your own use, and end up also plugging it into your laptop and home computer at later dates.
Hypothetical Situation
64 Gigabytes
Social Engineering
Social engineering is the art of manipulating people into performing actions or divulging sensitive information. Rather than breaking into computer networks or systems, social engineers use psychological tricks on humans.
• Poses as a trusted authority• Might already have information to use to prove they
trustworthiness.• Clicking unknown website links/pop-ups and responding to
phishing emails.• May use different methods like phone, email, or websites or a
combination of these.• Remain mindful!
• A law firm in transferred $387,000 to a bank after it closed a real estate deal. • The victim organization had been infected with keystroke logging software. • Cybercriminals transferred funds from the law firm’s bank, which transferred the
funds to a bank in New York and then to a bank in Moscow.
This is NOT perception…but a Reality!
• An attorney opened an attachment.• Malware was installed on his computer.• Hours later $289,000 had been transferred from his firm’s account to a bank in
China.
URL’s• Links can be tricky to notice when they are not legitimate
– www.paypal.com.091n93un91n1iicm1.ncq93p9nco.us/nqcivqoijn/creditinfo/• Look again, that is not paypal.com, It is a subdomain of ncq93p9nco.us
– www.bankoffamerica.com• Seems like it could be their site with a quick glance, but it has a slight typo and is a fake
– www.yourcompanyinc.com• Seems like your company’s site, but the INC at the end is wrong; your site is yourcompany,com
• Mini URLs
– There are legitimate services, such as Tiny URL, Bitly and Google URL shortener, which people use to shorten long complicated links so they are shorter to embed in emails
– Hackers can use these services to get you to access a link without you knowing where you are being taken to. Be wary!
What to Do After a Ransomware Attack… Plan, Pray, or Pay?• Law firms of all sizes are vulnerable to ransomware.
• Small law firms which lack financial resources necessary for the development of comprehensive security programs are especially susceptible to information security attacks.
According to FBI Cyber Division Assistant Director James Trainor…
“These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”
“Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
Defenses against Ransomware:
• Block executable files (such as “.exe” files) and compressed archives (such as zip files) containing executable files before they reach a user’s inbox.
• Keep operating systems, browsers and browser plug-ins, such as Java and Silverlight, fully updated.
• Program hard drives on your computer network to prevent any unidentified user from modifying files.
• Regularly back up data with media not connected to the Internet.
• Finally, for end users and organizations alike, awareness and education are key to protecting against ransomware attacks. By educating yourself and your users on basic protection practices and keeping up with current security threats, you can mitigate the risk of ransomware and keep your data safe.
Security software isn’t bulletproof• No anti-virus, anti-malware, firewall or other security application is fool-proof• Anti-virus programs can only detect known malware or anomalous signatures
in software and files, but new strains are always being developed• “Polymorphic” viruses keep changing themselves so they cannot be
detected by their signature• “Zero-Day” exploits are exploits that are being used that no one but the
malicious entity knows exists, and thus, anti-virus programs cannot protect you since they are not aware of the threat
• You must be diligent and careful of what sites you visit, what documents you open, and what files you download
You don’t need to be a techie to be secure
• The goal of these educational seminars is not to try to make you a techie who has in-depth knowledge of how to secure an I.T. infrastructure
• You can rely-on and use your I.T. department to assist you• But, you do need to understand the importance of information security and
the dangers of it being compromised• And, you do need to understand what the best practices are for end-users
and ensure that you follow them
The most common threat
• Passwords are the most common security mechanism used in technology• They are also the most common item attacked• Ensuring that you abide by password best-practices will help protect you
and your organization
Here is how long it takes to crack passwords of various complexities:
6 Alpha characters (e.g. monkey) – 1 second6 Alpha-Numeric characters (e.g. abc123) – 1 second8 Alpha characters (e.g. password) - 1 minute8 Alpha-Numeric characters (e.g. trustno1) - 11 minutes8 Alpha-Numeric + Special characters (e.g. tr1cky!! ) - 3 hours8 Upper & Lowercase, Numbers + Special (e.g. Tr1cky!! ) - 3 days10 Upper & Lowercase, Numbers + Special (e.g. I'mTr1cky! ) - 58 years
For example, My son's birthday is 12 December, 2004 could become Mi$un's Brthd8iz 12124, which would make a good passphrase.
*Based on the processing power of a desktop PC. These time can be sped up if a hacker has more powerful servers or resources. Your password can also be easier to crack if you use dictionary words or a commonly used password.
Speed to crack passwords
• Do not use names, dates, or dictionary words.• Use long passphrases which are easy to
remember.• Length matters. Passwords should be at least 8
characters and contain numbers, capital letters and symbols.
• Change passwords on at least a quarterly basis.• Always used two-factor authentication if offered
by the provider.• Never use the same password in different
accounts.• Use http://www.passwordmeter.com/ and
https://www.grc.com/haystack.htm to assess the strength of your passwords.
Passwords – Best Practices
Rules
• Don’t write your password down on a sticky-note attached to your screen
• Don’t keep your passwords written in a text file on your computer
• Don’t write them down in plaintext anywhere!• Instead, Use secure pass-phrases that you can
remember, or• Use an encrypted password storage program, like
KeePass or LastPass
How to store
Multi-Factor / Two-Factor Authentication
• Authentication is either:– Something you know (like a password or PIN)– Something you have (like your cellphone or ATM card)– Something you are (like your fingerprint)
• Passwords are the common form used• Adding a second factor greatly increases security• A common option being used now is to send a code via text to your cell
phone (something you have) and asking for that in addition to your password (something you know)
• Turn on 2-Factor Authentication for added security, especially with email accounts, bank accounts, and other sensitive accounts
Be cautious and wary
– Many attacks rely on tricking the user and playing on their lack of suspicion.
– Don’t be the low-lying fruit; attacks are often aimed at the easiest prey and criminals will move along to another target if they encounter defenses.
– When in doubt, play it safe. Ask someone if you are not sure.All it takes is one mistake. Be naturally cautious and wary.
Rules
• Do not give out your access credentials to anyone• Do not allow people to enter secure areas without credentials• Do not click on links in emails unless you are 100% certain they are legitimate• Understand that you are in control of access credentials and information
that is valuable to an attacker• Do not be afraid to say “Sorry, I cannot help” or “Sorry, I need to check on
this with someone first”• If unsure, ask a superior or someone in the I.T. Department• Always BE WARY
Cybersecurity: Top Tips for Keeping Data Safe
Conduct Independent Ethical Hacking Assessment:• An attack your network and computer systems using real-world
tools and techniques in order to find security weaknesses.
Assessment Objectives:• Uncover vulnerabilities• Provide a road-map for making your networks secure• Identify the sensitive information • Greatly increase your level of security
Develop a Breach Response Plan:• Formulate a Data Breach Response Plan• Crisis Response Team (internal and external)• Conduct breach response drills annually• Media/PR Strategy
Cybersecurity: Top Tips for Keeping Data Safe
Security software isn’t bulletproof: • No anti-virus, anti-malware, firewall or other security
application is fool-proof. • You must be diligent and careful of what sites you visit, what
documents you open, and what files you download.
Training:• Users should be considered the first line of defense in any
security infrastructure.• A robust training program that will heighten users’ sensitivity
to phishing attempts and other exploits.
Insure:• Consider cyber risk policy to augment existing coverages.
*This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond. It is not a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law. Availability of coverage referenced in this document can depend on underwriting qualifications and state regulations
*This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond. It is not a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law. Availability of coverage referenced in this document can depend on underwriting qualifications and state regulations
Any Questions ???
DISCLAIMER: These slides are made available for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. This information should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. While we try to make sure that all information is accurate at all times, we are not responsible for typographical and other errors that may appear; however, it is your responsibility to verify with that all details listed are accurate.
Ryan J. Cooper, Esq., CIPP/US, Law Office of Ryan J. Cooper [email protected] / 908-514-8830
Rob Kleeger, Managing Director, Digital4nx Group, [email protected] / 973-699-0167
Adam Abresch, Vice President, The Signature B&B [email protected] / 516-823-3101
Contact Us: