nearly 400 dairy queen locations infected with backoff malware · 2014-11-13 · 300 stores in 20...
TRANSCRIPT
Nearly 400 Dairy Queen Locations
Infected with Backoff Malware
Access to Undisclosed Number of Customer Name, Payment Card Numbers, and Expiration Dates
h"p://www.esecurityplanet.com/print/network6security/dairy6queen6acknowledges6major6credit6card6breach<
300 Stores in 20 States
Infected with Malware Payment Card Data Exposed
Late September 216 Stores
Infected with Malware Payment Card Data Stolen
October 10, 2014 POS Systems Compromised
Malicious Software Certain Debit & Credit Cards
Compromised
December 2013 Personal Information Stolen
6,300 Nashville Teachers Former State Employee
April & June 2014 HIPPA Data Compromised
4.5 Million Individuals Affected Mandiant (China)
! 10x<more<valuable<than<Credit<Cards<on<the<Black<Market<
! Cyber<Criminals<increasingly<targeDng<HealthCare<market<
! Medical<idenDty<theF<not<immediately<idenDfied<by<paDent<or<provider<
! Years<to<use<credenDals<
MEDICAL(DATA…(
"We've<become<entrenched<in<an<ever6escalaDng<ba"le<to<secure<our<systems<from<a<determined<and<increasingly<capable<enemy,”<
Mark%Bengel%Chief%Informa2on%Officer%
State%of%Tennessee%
10/1/2014%
Defining your Strategy
What is at “stake”
• Federal and Commercial Sectors
www.axiostec.com<<
What are your “key impacts”
• Intellectual Property
• Patient/Financial/Employee Data
• Manufacturing Processes
Military Application: “Key Cyber Terrain”
www.axiostec.com<<
Responsibility
• Not a “technical math problem’
• Does not only rest on CIO/CISO/IT experts
• Key operational leaders i.e., CEO/COO/CFO must be fully engaged – Aviation Safety
– Installation Physical Security
– Nuclear Surety
www.axiostec.com<<
Operational Assessments
• Choose your battles
• Everything cannot be protected
• Identify “showstoppers” and “crown jewels”
Military Application: Commanders and staff fully engaged/aware
www.axiostec.com<<
The Fix
• Requires constant attention
• Not static, adversary sophisticated and savvy
• Continuous “risk oversight” at all levels
Military Application: Adaptive planning and Common Operational Picture
www.axiostec.com<<
CyberSpecialist.Group.2.10/30/2014.
My#Part#FINALLY!!#
CyberSpecialist.Group.2.10/30/2014.
Obligatory.disclaimer.
To.the.best.of.our.knowledge,.all.informaDon.included.here.falls.under.the.fair.use.or.public.domain.guidelines.of.copyright.law.in.the.United.States..We.strive.for.accuracy.but.cannot.be.held.responsible.for.any.errors.in.informaDon.featured.in.the.slides.or.incorrect.aIribuDons..CYBER.SPECIALIST.GROUP.does.not.represent.or.warrant.that.the.informaDon.on.this.site.is.complete.or.current.and.while.CYBER.SPECIALIST.GROUP.uses.reasonable.efforts.to.include.accurate.and.up.to.date.informaDon.in.the.Site,.CYBER.SPECIALIST.GROUP.makes.no.warranDes.or.representaDons.as.to.its.accuracy..CYBER.SPECIALIST.GROUP.assumes.no.liability.or.responsibility.for.any.errors.or.omissions.in.the.content.of.the.Site..The.quotes,.arDcles,.news.and.views.are.not.necessarily.representaDve.of.the.views.of.CYBER.SPECIALIST.GROUP..Some.slides.may.include.content.considered.inappropriate.by.some.standards.for.some.age.groups..We.take.no.responsibility.for.filtering.content.based.on.any.standards.of.morality,.religion,.or.poliDcs..This.site.and.its.contents.is.provided.on.an.“as.is”.basis..Unless.specifically.stated.otherwise.on.the.CYBER.SPECIALIST.GROUP,.we.make.no.representaDons.or.warranDes.of.any.kind.with.respect.to.this.site.or.its.contents..CYBER.SPECIALIST.GROUP.disclaims.all.such.representaDons.and.warranDes,.whether.express.or.implied,.including,.but.not.limited.to,.warranDes.of.merchantability.and.fitness.for.a.parDcular.purpose..CYBER.SPECIALIST.GROUP.is.not.liable.for.any.damages,.whether.compensatory,.direct,.indirect,.incidental,.special,.or.consequenDal,.arising.out.of.or.in.connecDon.with.the.use.of.the.Cyber.Specialist.Group.site.or.the.informaDon.thereon..If.and.to.the.extent.any.state.does.not.permit.the.exclusion.or.limitaDon.of.liability.for.consequenDal.or.incidental.damages,.CYBER.SPECIALIST.GROUP’s.liability,.in.such.state,.shall.be.limited.to.the.fullest.extent.permiIed.by.law..Many.of.the.images.that.have.been.used.in.the.website.are.Royalty.Free.images.that.CYBER.SPECIALIST.GROUP.is.fully.permiIed.to.use..Other.images.have.been.sourced.directly.from.the.Public.domain,.from.where.in.most.cases.it.is.unclear.whether.copyright.has.been.explicitly.claimed..Our.intenDon.is.to.combine.informaDon.that.has.been.placed.in.the.public.domain.together.with.images.that.have.been.placed.in.the.public.domain.to.create.a.visually.and.intellectually.pleasing.whole..Our.intenDon.is.not.to.infringe.any.arDst’s.copyright,.whether.wriIen.or.visual..We.do.not.claim.ownership.of.any.image.that.has.been.freely.obtained.from.the.public.domain..In.the.event.that.we.have.freely.obtained.an.image.or.quotaDon.that.has.been.placed.in.the.public.domain.and.in.doing.so.have.inadvertently.used.a.copyrighted.image.without.the.copyright.holder’s.express.permission.we.ask.that.the.copyright.holder.writes.to.us.directly.at.CyberSpecialist.Group.com,.upon.which.we.will.contact.the.copyright.holder.to.request.full.wriIen.permission.to.use.the.quote.or.images..The.collecDon,.arrangement.and.assembly.of.content.on.this.site.are.the.exclusive.property.of.CYBER.SPECIALIST.GROUP.and.are.likewise.protected.by.copyright.and.other.intellectual.property.laws...
Brian.D..Brown.CyberSpecialist.Group.www.CyberSpecialistGroup.com.
404.849.3004.
CyberSpecialist.Group.2.10/30/2014.
Brian#is#a#na3onally#recognized#expert#in#Network#Security#and#Privacy#(Cyber)#exposures#and#Insurance.#He#has#worked#in#the#Cyber#field#for#over#a#decade#and#had#a#hand#in#draKing#the#first#Cyber#products.#He#also#developed#and#taught#the#first#CIC#classes#on#eLBusiness#risk#and#insurance#responses.#.
Having#worked#with#both#na3onal#brokers#and#carriers,#he#brings#a#unique#and#broad#perspec3ve#to#the#subject.#In#addi3on#to#Cyber#exper3se,#Brian#was#an#account#execu3ve#at#na3onal#brokers#so#has#a#broad#range#of#knowledge#and#skills#in#all#areas#of#property#and#casualty#insurance.#He#has#been#instrumental,#in#his#career,#in#developing#successful,#innova3ve,#cuQng#edge#programs#and#products#for#both#insurance#carriers#and#brokers..
Brian#is#an#ac3ve#member#of#the#PLUS#Southeastern#Chapter#and#a#regular#speaker#for#PLUS#and#RIMS#events#and#seminars.#He#is#also#a#published#author#in#Property#Casualty#360#and#the#American#Bar#Associa3on#magazine.#In#the#last#month#he#has#an#ar3cle#the#Texas#magazine,#The#Insurance#Record#–#September#4,#2014#and#another#na3onally#in#The#Insurance#Journal#–#September#22,#2014.#.
In#his#spare#3me#Brian#is#a#freelance#fine#ar3st#and#a#Dad#to#his#three#children#and#current#resides#in#Atlanta,#GA..
What#you#may#be#interested#in#with#regard#to#Cyber#Insurance#
• Quick#review#of#the#coverage#forms##
• Review#of#Loss#Data#(what#is#available)#• The#course#of#liability#through#vendor#rela3onships#
#
• Current#Cyber#Insurance#marketplace#
End#CyberSpecialist#Group#L#10/30/2014#
CyberSpecialist.Group.2.10/30/2014.
CyberSpecialist.Group.2.10/30/2014.
Coverage# Limits# Comments#
Cyber#Liability# $1,000,000+. Very.few.losses.have.occurred.as.it.is.difficult.to.prove.damages..Recently,.however,.cases.have.had.more.success..As.the.liDgaDon.environment.evolves.more.successful.third.party.suits.are.expected..
Crisis#Management# $250,000.2.$1,000,000+. Most.Cyber.losses.currently.occur.as.1st.party.losses.where.the.client.suffers.a.Cyber.event.involving.“SensiDve.Personal.InformaDon”.and.must.noDfy.the.affected.individuals.as.quickly.as.possible,.typically.mandated.by.state.law...SensiDve.Personal.InformaDon.is.defined.in.most.state.law.as:.2 An.individual’s.first.name.(or.iniDal).and.last.name.in.combinaDon.with:.
o Social.Security.Number.o Driver.License.number.o Credit.Card.combined.with.security.(Password.or.PIN).
2 Physical.or.mental.healthcare.informaDon.(Note:.There.is.typically.a.sDpulaDon.that.SensiDve.Personal.InformaDon.is.not.subject.to.the.state.noDficaDon.law.if.the.informaDon.is.encrypted.)...Besides.the.cost.of.noDficaDon,.when.a.Cyber.event.occurs.other.costs.to.the.company.are.necessary:..1..The.cost.to.invesDgate.what.occurred.(forensic.costs),.2..Legal.expenses,.and.3..The.cost.for.public.relaDons...These.coverages.may.be.included.in.Crisis.Management.and.typically.carry.separate.sub2limits..
Fines#and#Penal3es# $250,000+. The.next.most.likely.loss.to.occur.are.fines.and.penalDes..These.fines.and.penalDes.originate.from.the.federal.level.(HIPAA),.state.laws.and.from.the.payment.card.industry.(PCI).should.a.Cyber.event.occur..Typically,.the.cost.for.higher.limits.for.fines.and.penalDes.is.minimal.so.companies.should.strongly.consider.purchasing.limits.in.excess.of.the.usual.$250,000.limit.....
Media#Liability# Usually.same.limit.a.Cyber2Liability.limit.
This.is.a.coverage.that.compliments.the.General.Liability.adverDsing.exclusion..Since.it.is.easy.for.a.company.to.become.“…in.the.business.of.adverDsing…”.on.the.internet..Typically,.coverage.is.limited.to.on2line.content..
Network#Extor3on# Usually.same.limit.a.Cyber2Liability.limit.
This.is.coverage.for.the.money.demand.from.the.aIacker.if.they.have.compromised.the.network..
hIps://mail.google.com/mail/u/0/#search/the+insurance+record/148897e66cfd74f6..
CyberSpecialist.Group.2.10/30/2014.
Cyber#Forms#• Third#Party#Liability#• Crisis.Management.
– $$.Amount.or.#.of.Individuals?.
– Sublimit.for:.• Forensics.• Legal.• Public.RelaDons.
• Regulatory.Fines.and.PenalDes.– Defense.or.coverage.for.
PenalDes?.
• Media#Coverage#– Online.content.only?.
• ExtorDon.– What.is.this?.
• Business.InterrupDon.–.Extra.Expense.– What.is.the.real.exposure?.
• Data.RestoraDon.– Is.Data.backed.up.daily?.
Exposure?.
• Other.coverages.–.System.Breakdown,.AddiDon.of.BI/PD.coverage.
BACK.CyberSpecialist.Group.2.10/30/2014.
Losses.• The.average.number.of.records.lost.was.2.3.million.
• Average.costs.• .Claim.payout.2.$3.5.million.
• Crisis.Services.2.$737,473.• Legal.defense.was.$574,984.• SeIlements.2.$258,099.
Claim.Payout.is.the.esDmate.–.most.of.the.losses.had.not.been.fully.developed.
CyberSpecialist.Group.2.10/30/2014.
..NetDiligence®.2013.Cyber.Liability.&.Data.Breach.Insurance.Claims,.A.Study.of.Actual.Claim.Payouts.
..NetDiligence®.2013.Cyber.Liability.&.Data.Breach.Insurance.Claims,.A.Study.of.Actual.Claim.Payouts.CyberSpecialist.Group.2.10/30/2014.
..NetDiligence®.2013.Cyber.Liability.&.Data.Breach.Insurance.Claims,.A.Study.of.Actual.Claim.Payouts.
BACK#CyberSpecialist.Group.2.10/30/2014.
Organiza3ons#should#include#…protec3ons#around#data#breaches#in#their#vendor#contract…because#data#breach#no3fica3on#statutes…make#it#clear#that#the#buck#stops#with#the#financial#ins3tu3on#(or#any#other#customer#facing#organiza3on)#
Who.is.UlDmately.Responsible.
NOPE hIp://searchfinancialsecurity.techtarget.com/Dp/Data2breach2protecDon2ImplemenDng2vendor2breach2
safeguards.
CyberSpecialist.Group.2.10/30/2014.
WriIen.or.electronic.noDce.must.be.provided.to.vicDms.of.a.security.breach,.within.he.most.expedient.Dme.possible.and.without.unreasonable.delay.unless.disclosure.impedes.law.enforcement.invesDgaDon.or.any.measures.necessary.to.determine.the.scope.of.the.breach.and.restore.the.reasonable.integrity.of.the.data.system...If.an.enDty.is.required.to.noDfy.more.than.1,000.persons.at.one.Dme,.must.report.to.all.CRAs.and.credit.bureaus.that.compile.and.maintain.files.on.consumers.of.the.Dming,.distribuDon.and.content.of.the.noDces.
Tennessee#Breach#Law#Provision#
hIp://www.mintz.com/newsleIer/2007/PrivSec2DataBreachLaws202207/state_data_breach_matrix.pdf.
Back#
CyberSpecialist.Group.2.10/30/2014.
Current#Market#for#Cyber.• ACE.–.$25.million.in.primary.capacity..
• AIG.2.$25.million.in.primary.capacity..
• Allied.World.Assurance.Company.–.$5.million.in.primary.capacity..
• Arch.–.$10.million.in.primary.capacity..
• Argo.Pro.2.$5.million.in.primary.capacity..
• Axis.–.$10.million.in.primary.capacity..
• Beazley.2.$25.million.in.primary.capacity..
• Chubb.2.$25.million.in.primary.capacity..
• CNA.2.$10.million.in.primary.capacity..
• Crum.&.Forster.2.$5.million.in.primary.capacity..
• Hudson.2.$10.million.in.primary.capacity..
• Ironshore.–.$15.million.in.primary.capacity..
• Liberty.InternaDonal.2.$10.million.in.primary.capacity..
• London.2.various.syndicates.with.different.capaciDes..
• Navigators.–.$10.million.in.primary.capacity..
• OneBeacon.–.$10.million.in.primary.capacity..
• Philadelphia.–.$5.million.in.primary.capacity..
• The.Hartord.2.$10.million.in.primary.capacity..
• Travelers.–.$10.million.in.primary.capacity..
• XL.2.$10.million.in.primary.capacity..
• Zurich.–.$5.million.in.primary.capacity..
CyberSpecialist.Group.2.10/30/2014.
Board#of#Directors,#Stockholders#
“New.NEW”.Premium.
Chief#Underwri3ng#Officers#
“We.really.don’t.know.what.the.threats.are,.compeDDon.is.requiring.liIle.informaDon,.rates.seem.way.too.low,.and.what.about.the.catastrophe?.
CyberSpecialist.Group.2.10/30/2014.
Board#of#Directors,#Stockholders#
“New.NEW”.Premium.
Chief#Underwri3ng#Officers#
“We.really.don’t.know.what.the.threats.are,.compeDDon.is.requiring.liIle.informaDon,.rates.seem.way.too.low,.and.what.about.the.catastrophe?.
Back#CyberSpecialist.Group.2.10/30/2014.
Collected#Helpful#Websites#• hIp://advisen.com..• hIp://beIerley.com.• hIp://bna.com..• hIp://bostoncompuDng.net..• hIp://datalossdb.org..• hIp://eperils.com/pdf/
cyber_terms.pdf..• hIp://wc.gov..• hIp://idthewcenter.org..• hIp://www.IRMI.com..• hIp://privacycg.com..• hIp://privacyinternaDonal.org..• hIp://privacyrights.org..
• hIp://rbs2.com/privacy..
• hIp://www.eperils.com..
• hIp://www.ic3.gov..
• hIp://www.jusDce.gov/opcl/privacyact1974.htm..
• hIp://www.ncsl.org/Default.aspx?TabId=13489..
• hIp://www.ponemon.org..
• hIp://www.privacy.ca.gov..
• hIp://www.sophos.com..
• hIp://www.symantec.com..
• hIp://www.verizonbusiness.com..
• hIps://www.javelinstrategy.com..
• hIps://www.pcisecuritystandards.org.
Copyright.2.Brian.D..Brown,.CyberSpecialist.ConsulDng.2.For.Myron.Steves.
17.
?’s#CyberSpecialist.Group.2.10/30/2014.