Cybersecurity and liability your david willson
•
0 gostou•688 visualizações
As a business owner, what is your level of liability if your company or someone you are connected to is breached?
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (20)
Semelhante a Cybersecurity and liability your david willson
Semelhante a Cybersecurity and liability your david willson (20)
Último
Último (20)
Cybersecurity and liability your david willson
- 1. DavidWillson, Esq. CISSP Titan Info Security Group “A Risk Management and Cyber Security Law and Consulting Firm” Cybersecurity and Liability: Are you informed?
- 2. Agenda Suffering a Breach is a foregone conclusion, but how bad is it really? Why we are still optimistic Emperor has no clothes The Problem and the Perfect Storm Computers – IT – Cyber Security - Risk
- 3. Agenda cont. What you can do Now, before the breach When the breach is discovered After the breach TheAssessment The Policy TheTraining
- 4. Bottom Line Do an assessment Write the policies Train employees Know when to ask for help (e.g. collaborate with someone to help you assess the risk to your business, your customers, etc. Collaborate with a cyber security expert)
- 6. How were they breached? Target:Target breach also started with a hacked vendor — a heating and air conditioning company in Pennsylvania that was relieved of remote-access credentials after someone inside the company opened a virus-laden email attachment. (PoS) Home Depot: IT told to minimize costs and system downtime at the expense of improving security. crooks initially broke in using credentials stolen from a third-party vendor. (facing at least 44 civil suits) (PoS) Sears/Kmart: (PoS)
- 7. How were they breached? cont. Chick-fil-A: (PoS) Detected by a credit card association who notified financial institutions that payment card systems had been breached. Breach occurred between Dec. 2013 and Sept 2014. See the connections, and length of time? JP Morgan: 76 million households and 8 million small businesses. Root cause – employee’s computer. Georgetown law professor: "JP Morgan spends crazy amounts of money on IT security and yet they can still be hacked," he said. "There’s really no way you can be connected to the Internet and keep things safe." US Postal Service: 800,000 employee records.Also the Pentagon, NOAA, OPM, the White House and more.
- 8. How were they breached? cont. White House:The breach was reported to the Govt via an ally. Like many breaches, it was not discovered internally but reported by an outside third-party. Sony:Well, depending on who you believe, it was either North Korea who was mad because their dictator’s head explodes in a movie that was supposed to be released over Christmas, or, it was former employees who were terminated, or a combination, or maybe something or someone much more nefarious? *These are just a few of the many breaches that are known. On average most breaches were discovered months after they were initiated, if you can even trust those statistics. Consider the Shady RAT report from McAfee in 2012.They discovered hackers had been in 70 large companies and nation government computers for 5 years, since 2006, before anyone detected them!
- 9. The Art of Deception Can we really trust the results of investigations that say XXX was responsible for the breach? Think about it: if you are going to commit a crime, isn’t making it look like someone else is responsible a great ruse? So, who really created and released Stuxnet?Who really attacked Estonia? Did North Korea hack Sony? * Can we really know?
- 10. SURVEY Would you believe me if I said, 80% of companies in the US have been or will be breached? Statement made by the Director of the FBI!
- 11. SURVEY Does anyone believe there is an 80% chance that their company will suffer a breach in the next year? 50% chance? 30%?
- 12. SURVEY Does anyone believe there is an 30% chance another company will be breached? 50% chance? 80%?
- 13. SURVEY When surveyed in my classes, most believe their neighbor will be breached but not their company? Why?
- 21. The Perfect Storm IT Security • InformationTechnology: “the technology involving the development, maintenance, and use of computer systems, software, and networks for the processing and distribution of data.” Merriam-Webster • The emperor has no clothes!
- 22. blog.etq.com
- 23. Who is Responsible for Corporate Risk? www.caldwellpartners.com
- 24. The Castle Walls have Fallen! www.dreamatico.com
- 25. Who are You Connected To? You Cloud Provider Customer ManufacturerISP Integrator
- 27. Are You Potentially Liable? What if you are breached? What if someone you are connected to or provide service to is breached?
- 28. Negligence-Liability & the Target Case Dec. 2 ruling, Judge Paul A. Magnuson of the U.S. District Court in St. Paul, Minnesota, refused to dismiss the litigation. He said plaintiffs can proceed with their lawsuit on a theory of negligence. He further stated:“At this preliminary stage of the litigation, plaintiffs have plausibly (pleaded) a general negligence case.”“Although the third-party hackers' activities caused harm,Target played a key role in allowing the harm to occur.”
- 29. Negligence-Liability & the Target Case cont. The ruling essentially holds thatTarget may have been responsible for the damages the hackers caused even though there may have been no direct contractual relationship between the retailer and the credit card issuers. Judge Magnuson concluded,“that there can be a direct duty between the issuing banks and the retailer, and that lets them get over this motion to dismiss hurdle.”
- 30. Negligence-Liability & the Target Case cont. So, two significant findings that impact us 1. Plaintiffs have put forward enough evidence to show negligence might be proven. 2. At this point in the case, a causal connection and duty to protect might be proven between the banks andTarget.
- 31. Negligence-Liability & the Target Case cont. You need to be prepared ahead of time Make sure you have a proper incident response plan in place, and, Appropriate lines of authority so there is an immediate response when a red flag appears. “The more reasonable the steps [businesses] take — and document — to protect consumer data, the more likely they are to survive a conduct- based challenge.” (E.g. Negligence claim) See:Business Insurance,“Target’s data breach liabilities mount as credit card issuers’suit proceeds,” http://www.businessinsurance.com/article/20150104/NEWS07/301049970?tags=|299|75|303|335
- 32. What Can You Do to Protect Yourself? www.youngupstarts.com
- 33. What to do before during and after the breach! Assess Draft Train
- 35. Assess What do you collect, process, and store? Categorize it Where does it come in from? Who has access to it? Any outside vendors?What’s their security? Cloud provider?
- 36. Policies Do you have written policies? Two goals Outline process and policy to inform workforce Provide proof of a plan
- 38. Policies
- 41. Train Ensure employees are aware of policies Teach them how to recognize the risks Teach them how to react Teach them what to say
- 43. Final Note: the Cloud Who holds your stuff? What’s their security? Who do they allow to see your stuff? What can you do?
- 44. Do You Feel Lucky? If not,get yourself a Plan!! http://www.youtube.com/watch?v=u0-oinyjsk0
- 45. Don’t Be This Guy!! http://1rico.wordpress.com/2011/02/01/
- 46. Self Risk Assessment Form If you would like to receive my self risk assessment form please call or email me and I will send to you. I will also make it available to PSATEC to post so you can get it there. If you have the time and desire, it will help you make the initial steps to assess the state of your security.You can also use it to ask customers to provide feedback to find out where their state of security is.
- 47. Q & A David Willson Attorney at Law CISSP Titan Info Security Group 719-648-4176 david@titaninfosecuritygroup.com www.titaninfosecuritygroup.com