the canadian threat landscape - fei canada · the canadian threat landscape ... © mandiant, a...

1 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved.

The Canadian Threat Landscape FEI Canada

2 © Mandiant, a FireEye Company. All rights reserved.

Threat Actor Motivations Nuisance

Objective

Annoyance &

Ransom

Example Botnets &

DDoS

Targeted

Character Automated /

Conspicuous


Threat Actor Motivations Nuisance Hacktivism

Objective

Annoyance &

Ransom

Defamation,

Press & Policy

Example Botnets &

DDoS

Website

Defacements

Targeted


Conspicuous Conspicuous


Syrian Electronic Army Compromise Case Study

https://webmail.victim.co (notice the missing m)



“The fake tweet erased $136 billion in equity market value”

-Nikolaj Gammeltoft, Bloomberg News


Threat Actor Motivations Nuisance Hacktivism Cyber Crime

Objective

Annoyance &

Ransom

Defamation,

Press & Policy

Financial

Gain

Example Botnets &

DDoS

Website

Defacements

Bank and

Credit Card

Theft, Insider

Trading

Targeted


Conspicuous Conspicuous Opportunistic


Threat Actor Motivations Nuisance Hacktivism Cyber Crime Data Theft

Objective

Annoyance &

Ransom

Defamation,

Press & Policy

Financial

Gain

Economic,

Military

Political

Example Botnets &

DDoS

Website

Defacements

Bank and

Credit Card

Theft, Insider

Trading

Advanced

Persistent

Threat

Targeted


Conspicuous Conspicuous Opportunistic Persistent


The Chinese government is known to compromise global companies for the following reasons:

1. Theft of intellectual property

2. Inside knowledge of mergers, acquisitions, and divestments

3. Modernization of processes and technologies

4. Political reasons – political activists, spread of democracy, etc.

5. Amassing personal information for all residents of certain countries

Chinese Government Motivations


Threat Actor Motivations Nuisance Hacktivism Cyber Crime Data Theft Disruption

Objective

Annoyance &

Ransom

Defamation,

Press & Policy

Financial

Gain

Economic,

Military

Political

Escalation,

Destruction

Example Botnets &

DDoS

Website

Defacements

Bank and

Credit Card

Theft, Insider

Trading

Advanced

Persistent

Threat

Destroy

Infrastructure

Targeted


Conspicuous Conspicuous Opportunistic Persistent Conflict Driven


Identification and protection of our most critical assets

Annual “red teaming” of environments (internal and external networks, social engineering, and web

applications)

Requiring dual factor authentication on all remote access (VPN, Citrix, Terminal Services, and webmail)

Deployment of application whitelisting technology to critical assets (domain controllers, mail servers,

file servers, etc.)

Network compartmentalization of critical assets and data

Limit access to system backups to prevent intentional destruction

Deployment of advanced malware detection/prevention technology at the perimeter (web and email)

Searching for host and network-based indicators of compromise on a periodic basis

Inventorying service accounts and resetting passwords on a periodic basis

Examples of Ways to Counter Attacks

13 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL

QUESTIONS?

Charles Carmakal

Vice President

[email protected]

+1 864 735 7242

The Emerging Cybersecurity Threat -

Legal and Regulatory Considerations

FEI Canada September 16, 2015

Adam Kardash

Partner, Privacy and Data Management

Osler, Hoskin & Harcourt LLP

Privacy Liability Drivers

Series of drivers fueling the increased prominence of

privacy issues/risk, including:

Rapid developments in information technology

Explosion in the volume of data, “data use”

Data Ubiquity

Sophistication and breadth of cybersecurity threat

Legislative drivers

Enhanced Regulatory Scrutiny

Class Action threat

15

Statutory Safeguarding Obligations Safeguarding provisions require organizations to take

reasonable technical, physical and administrative

measures to protect personal information against loss

or theft, as well as unauthorized access, disclosure,

copying, use, modification or destruction.

16

Private Sector Privacy Legislation Use Restrictions

General Prohibition on the use of personal

information without consent (subject to limited

exceptions). Organizations may only collect, use or disclose

personal information for purposes that a

“reasonable person would consider appropriate” in

the circumstances.

17

What is a “reasonable” safeguard?

“The reasonableness of security measures and their implementation is measured by whether they are objectively diligent and prudent in all of the circumstances. To acknowledge the obvious, “reasonable” does not mean perfect. Depending on the situation, however, what is “reasonable” may signify a very high level of rigour.”

(See BC Investigation Report F06-01)

18

What is a “reasonable” safeguard? Cont’d. Findings by Privacy regulatory authorities provide the

following list for organizations considering the reasonableness of their safeguards:

Whether the security risk was foreseeable; The likelihood of damage occurring; The seriousness of the harm; The sensitivity of the personal information involved; The cost of preventative measures; and Relevant standards of practice.

Note: Standards set “minimum” set of expectations. (See, for example, Alberta Investigation Reports P2006-IR-005, P2008-IR-002,

and OPC and OIPC Alberta Report of an Investigation into the Security, Collection and Retention of Personal Information TJX Companies Inc. /Winners Merchant International L.P)

19

Security Breach Notification Requirements Alberta’s Personal Information Protection Act

Includes statutory obligation to notify the Alberta Commissioner of a breach where there is a real risk of significant harm to an individual.

Alberta Commissioner has authority to require organizations to notify affected individuals of a breach.

All security breach decisions posted on OIPC website

20

Security Breach Notification Requirements Cont’d. Amendments to PIPEDA

Includes an obligation for organizations to report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstance to believe that the breach creates a real risk of significant harm to an individual.

Also requires notification to individuals and other organizations. Must maintain a record of all incidents, accessible by Privacy Commissioner.

Manitoba’s Personal Information Protection and Identity Theft Prevention Act (not in

force) An organization must notify an individual if personal information about the

individual that is in its custody or under its control is stolen, lost or accessed in an unauthorized manner.

21

Impact of a Security Breach Notification Requirements Enhanced transparency/reporting about security incidents within

organizations. More notifications to affected individuals about security incidents. More media reports and general awareness about information security (or

lack thereof). More investigations/posted decisions by privacy regulatory authorities. Increased litigation risk.

Tort of Invasion of Privacy Bell Class Action: Misuse of data

More proactive efforts by organizations to address personal information security concerns.

Increased costs to organizations due to all of the above.

22

Lessons Learned Be prepared to respond to the following four questions

during a privacy regulatory investigation of a security incident:

Show us your organization’s security incident protocol, and how you implemented it?

Show us your organization’s information security governance program?

Show us evidence of your regular compliance monitoring.

Show us evidence of regular training and awareness.

23

Lessons Learned Cont’d. Significance of effective security incident response plan cannot be

overstated AccessPrivacy Security Incident Workshop

78% of participants described their organization as having an open and honest culture of reporting privacy breaches

80% of participants indicated that their organization had a data breach response plan, yet only 51% were confident that their organization's privacy breach response plan would be sufficient to respond to a public, large scale security incident

57% of participants indicated that their organization had an incident tracking program in place that facilitates tracking and reporting of privacy breaches

24

FEI Cyber Discussion September 16, 2015

MARSH

A STRUCTURED APPROACH

26 September 17, 2015

MARSH

A Structured Approach to Cyber Risk

• Dependency on Vendors

(cloud, mobile, hosting, etc…)

• Domicile of Customers

• Compliance with Regulatory

Requirements (including PCI)

• Critical Asset Inventory (what

protections are in place?)

• Conduct platform operational

maturity assessment

• Reliance on technology to

conduct business operations?

• Review existing risk

assessment material and

identify top cyber risk

elements

• Conduct interviews with

internal business units and

operational departments

• Based on the above, and

understanding of the

business, create a common

risk taxonomy with cyber risk

categories and the cyber risk

elements within each

category

• Prioritize risk categories in

terms of economic impact

and frequency (likelihood)

• Generate loss scenario’s

based on the priority risk

categories

• Model the costs of a privacy

breach, if relevant

• Quantify economic loss

stemming from an interruption

to the business due to a

technology failure (internal or

external – vendor)

• Based on the outcomes , seek

to identify the root causes

• Align largest risks with risk

appetite

• Create risk mitigation

recommendations for the

highly exposed risk elements

“What does the organization’s current posture look like?

“What are the top risks which could materially impact the

organization?

“How can we mitigate these risks?”

“What are the economic implications of the risks

identified?

Risk Quantification Understanding the risk

exposure Risk Assessment 1 2 3

Recommendations and

prioritization 4

MARSH

EXPOSURE TO IMPACT


MARSH

A Closer Look


MARSH

Taxonomy of Cyber-Vulnerable Assets

An asset is any data, device, or other component of the environment that supports information-related activities. An asset’s loss potential stems from the value it represents and/or the liability it introduces to an organization.

Financial Assets

Corporate IP

Confidential Data / Trade

Secrets

General Corporate

Data

Third-Party Data

B2B – Confidential

Data

B2C - Personal

Data

Technology Infrastructure

Operational Technology

Core Information

Systems

General Information

Systems

Outsourced Systems

Relationship Capital

B2C - Brand & Reputation

B2B - Commercial

Relationships

Cyber-Exposed Physical Assets

MARSH

TOOLS FOR QUANTIFICATION


MARSH

Marsh has a four step process to think about cyber risk holistically

32

1 2 3 4 Assessment Mapping Modelling Insurance Audit

• Conduct a cyber risk assessment

to understand the consequences

of a cyber event from an impact

and complexity perspective

• Estimate the frequency and

severity of events to prioritize

• Calculate impact of a record

breach

• Design the most effective and

efficient insurance program

MARSH

2

Note: In 1 out of every 100 Breach Events or 99% of the time the costs will be these amounts or lower.

33

IDEAL Cyber – Privacy Event Model: Step 3 Range of Outcomes

MARSH

Note: Costs do not include Business

Interruption and/or costs to recreate the data.

34

IDEAL Cyber – Privacy Event Model: First Party Costs

MARSH

IDEAL Cyber – Privacy Event Model: Third Party Costs

Note: Card Reissuance Liability will only be

displayed with PCI as Record Type

35

MARSH 36 September 17, 2015

Step 4: CYBER RISK INSURANCE AUDIT

Privacy & Cyber Perils Property General Liability

Traditional

Fidelity

Bond

Computer Crime

E&O

Special

Risk

Broad Privacy &

Cyber Policy

Destruction, corruption or theft of your electronic information assets/data due to

failure of computer or network

Information asset protection

Theft of your computer systems resources Information asset protection

Business Interruption due to a material interruption in an element of your computer

system due to failure of computer or network security (including extra expense and

forensic expenses)

Network Business Interruption

Business interruption due to your service provider suffering an outage as a result of a

failure of its computer or network security

Network Business Interruption

(sublimitted or expanded based upon

risk profile)

Indemnification of your notification costs, including credit monitoring services Privacy Liability (sub-limited)

Defense of regulatory action due to a breach of privacy regulation Privacy Liability (sub-limited)

Coverage for Fines and Penalties due to a breach of

privacy regulation

Privacy Liability

Threats or extortion relating to release of confidential information or breach of

computer security

Cyber Extortion

Liability resulting from disclosure of electronic information & electronic information

assets

Network Operations Security

Liability from disclosure confidential commercial &/or personal information (i.e.

breach of privacy)

Privacy Liability

Liability for economic harmed suffered by others from a failure of your computer or

network security (including written policies & procedures designed to prevent such

occurrences)

Network Operations Security

Not covered Covered See notes Dependant upon specifics of claims, may not be covered

MARSH

This document and any recommendations, analysis, or advice provided by Marsh (collectively, the “Marsh Analysis”) are intended solely for the entity identified

as the recipient herein (“you”). This document contains proprietary, confidential information of Marsh and may not be shared with any third party, including

other insurance producers, without Marsh’s prior written consent. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on

our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should

consult your own professional advisors. Any modeling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be materially

affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. The information contained herein is

based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth in an agreement between you

and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party with regard to the Marsh Analysis

or to any services provided by a third party to you or Marsh. Marsh makes no representation or warranty concerning the application of policy wordings or the

financial condition or solvency of insurers or reinsurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage.

•Marsh is one of the Marsh & McLennan Companies, together with Guy Carpenter, Mercer, and Oliver Wyman.

•Copyright © 2014 Marsh Canada Limited and its licensors. All rights reserved. www.marsh.ca | www.marsh.com

the canadian threat landscape - fei canada · the canadian threat landscape ... © mandiant, a...

Documents