Hot Topics in Cybersecurity & Employee Privacy · 2017-11-13 · ‣Keylogger - logs sequential...

Hot Topics in Cybersecurity &

Employee Privacy

Jimmy Byars, Esq.Associate

Cesar Burgos, CISA, CISSPDirector of Professional Services, Nextra Solutions

Employment & Labor Law Practice Group

Quarterly Breakfast Briefing

September 19, 2017

www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy

OVERVIEWCYBERSECURITY DEPENDS ON HAVING THE RIGHT PEOPLE,

THE RIGHT PROCESSES, AND THE RIGHT TECHNOLOGY…

2

www.nexsenpruet.com Hot Topics in Cybersecurity and Employee Privacy 3

Information Governance Policies Company-Wide

Employment Policies

Implementation by People

OVERVIEW…BUT CYBERSECURITY BEGINS AND ENDS WITH PEOPLE.

INDUSTRY EXPERIENCE

CESAR BURGOS

▸ Script Kiddy

▸ SOC Engineer

▸ Ethical Hacker

▸ Social Engineer

▸ Solutions Architect

▸ Systems Auditor

▸ Global DR Service


‣ Explosion in black market (“Dark Web”)

value for data

‣ “Hacking as a service”

‣ Estimated average ROI of 1500%

‣ “Cybercrime as a commodity”

‣ Exploit kits, etc.

‣ Billions in losses each year

‣ Difficult to detect and adequately

respond—especially with overseas actors

CYBERCRIME IS A BUSINESS


CYBERCRIME IS A BUSINESS

2015 TARGETS BY INDUSTRY

7

‣ Source: Trustwave Global Security Report as reported by The Atlantic, Hacking Inc.: The

Employee Handbook, 2016 [http://www.theatlantic.com/sponsored/hpe-2016/hacking-inc-the-

employee-handbook/1049]


▸ Careless employee

▸ Criminal syndicate

▸ Malicious employee

▸ Hactivists

▸ External contractor

▸ Lone Wolf

▸ State-Sponsored Attacker

▸ Supplier

▸ Other Business Partner

▸ Customer

WHO MIGHT BE BEHIND IT?


WHAT DO HACKERS WANT?

‣ Confidential/proprietary company info

‣ Financial info (credit card numbers, direct

deposit info, etc.)

‣ Personal identifying info (SSNs, DOBs,

addresses, etc.)

‣ Corporate communications

‣ Malware/virus introduction

‣ Control


HOW DO THEY GET IT?

10


‣ Brute-force attack - a hacking method to find

passwords or encryption keys

‣ Catfish - creating a fake online profile to deceive

‣ Drive by Download - downloading of a virus or

malware on your device

‣ Ghosting - theft of identity of a deceased person

‣ Hash busters - random words or sentences to

bypass filters

‣ Keylogger - logs sequential strokes to figure out

login credentials

‣ Malvertising - malicious online advertising

containing malware

MOST COMMON METHODS


‣ Pharming - when hackers use malicious programs to

route websites

‣ Phishing - trying to trick you into providing sensitive

personal data

‣ Ransomware - program which restricts or computer

by hijacking files & demanding payment

‣ Spear phishing - phishing with personalized email

appearing as someone you know

‣ Spoofing - a person masquerading as someone else

‣ Spyware - malware installed on your computer to

track actions & collect data

MOST COMMON METHODS


Regulatory fines

Legal fees

Consulting fees

Notification fees

Security & privacy liability

Third-party costs

CONSEQUENCES OF BREACHTANGIBLE CONSEQUENCES = MONEY


Business interruption

o61 days from occurrence to discovery

o8 days discovery to containment

o40 days forensic investigation complete

o41 days discovery to notification

Reputational damage

Theft of intellectual property

INTANGIBLE CONSEQUENCES = TIME & REPUTATION

CONSEQUENCES OF BREACH


• Good Security Standards follow the "90 / 10"

Rule

–10% of security safeguards are technical.

–90% of security safeguards rely on people ("YOU")

to assess risks, implement and communicate

policies/procedures, and adhere to good computing

practices.

• Example: The lock on the door is the 10%. You remembering to lock

the lock, delegating locking rights to the right people, checking to see

if the door is closed, ensuring others do not prop the door open,

keeping control of the keys, testing the lock to make sure it works,

etc. is the 90%. You need both parts for effective security.

• THE POINT: MOST CYBERSECURITY PROTECTION—AND MOST

RISKS—COME FROM EMPLOYEES. Even well-meaning ones.

THE 90-10 RULE

WHAT CAN WE DO?


‣ What do we have?

‣ Where and how is it stored?

‣ Who has access?

‣ How is access restricted—and by whom?

‣ How is access recorded? (logs, etc.)

‣ How is access monitored– and by whom? (security

patches, etc.)

‣ What devices can access it, and who controls those

devices?

‣ Do we have clear, effective, and comprehensive policies?

‣ How are those policies trained and implemented?

‣ WHAT COULD GO WRONG?

UNDERSTAND YOUR DATA AND ITS RISKS

WHAT CAN WE DO?


‣ Info Governance Policies– management/IT

- Committing funds

- Assessing & prioritizing risks

- Developing/implementing procedures

‣ Employment Policies– IT/HR

‣ Training– IT/HR

‣ Auditing– IT

‣ Accountability– IT/HR

DEVELOP, COMMUNICATE, TRAIN, AND ENFORCE POLICIES

WHAT CAN WE DO?


‣ IT security policies and related measures on the network side

can booth boost data security and provide important means

for identifying movement of info and potential policy violations

‣ IT staff or consultants can play an important role in identifying

where security gaps may exist and the best methods of

preventing and detecting potential misappropriation

‣ Biggest issues/questions for IT staff to address:

1. Who can access the company’s confidential ESI?

2. What steps can be take to limit access and discover misuse?

3. What role do employees play, and how should they be trained?

INFORMATION GOVERNANCE POLICIES

IT STAFF PLAY IMPORTANT ROLE IN ELECTRONIC SECURITY


1. Data Loss Prevention (DLP) tools: monitor and report

movement of data on/off secure network to external device or

non-network location

2. Auto-encryption tools: automatically encrypt and password

protect data moved to external devices and/or preclude access

on computers/devices not connected to company network

3. Email monitoring protocols: periodically generate reports of

data emailed to non-company accounts

4. Access rights: restrict access to certain portions of company

network to authorized individuals on need-to-know basis

5. Multi-factor authentication: require those with access to

certain portion of networks enter password AND confirm identity

through other means (phone, USB, etc.)

ELECTRONIC SECURITY TOOLS– THE “TECH”

EXAMPLES


‣ KNOW WHAT YOU NEED

‣ Multi-vendor approach

‣ Implement automated systems with great

alerting and reporting

‣ Audit and test third-party vendors

ELECTRONIC SECURITY TOOLS– THE “TECH”

BEST PRACTICES


‣ Physical security measures can serve to restrict

physical access to sensitive info, track who had

access to info and when, and deter misappropriation

‣ Examples:

1. Keycards

2. Video surveillance

3. Screen barriers

4. Remotely-accessed or time-delayed doors

5. Physical locks on workstations or computers

6. Secure shredding

INFORMATION GOVERNANCE POLICIES

PHYSICAL SECURITY MEASURES


‣ Written security policies are critical to protecting

the company’s electronically-stored info (ESI)

‣ Not enough to just have policies– they need to

be communicated, followed, and enforced

‣ At a minimum, policies should define:

1. What types of ESI are confidential

2. Where and how confidential ESI must

be stored or accessed, and by whom

3. Restrictions on transfer/reproduction

4. Company monitoring rights

EMPLOYMENT POLICIES & PROCEDURES

DATA SECURITY BASICS


‣ Only access, store, and/or use info to which you have a “need

to know” to perform job duties

‣ Confidential info must be encrypted, password protected,

and/or maintained solely on Company secure network

‣ *Transfer of Company information to external devices,

networks, or accounts prohibited unless expressly authorized*

‣ All Company-owned devices and information stored thereon is

exclusive Company property… may be monitored, intercepted,

etc. at any time without notice. NO EXPECTATION OF

PRIVACY IN USE OF COMPANY PROPERTY

‣ Company-owned devices and related passwords cannot be

shared with or accessible to anyone, including coworkers

‣ No copies/reproductions of ESI unless necessary to perform

job duties or otherwise expressly authorized

DATA SECURITY POLICIES & PROCEDURES

EXAMPLE POLICY CONTENT


‣ Privacy rights are limited…but not non-existent

‣ Policies, procedures, and tech must balance privacy

‣ Employment policies should clearly identify the limits of

employees’ “expectation of privacy”

‣ Potential issues with “surveillance”

- Property rights (think BYOD)

- Consent (audio vs. video vs. electronic)

- NLRA risks – “protected activity”

- Stored Communications Act

- Whistleblower protections

DATA SECURITY POLICIES & PROCEDURES

EMPLOYEE PRIVACY ISSUES


‣ Ensure employee does not have a risk history (i.e.

appropriate background/reference check in

accordance with job role)

‣ Ensure all devices employee will use have appropriate

security tools and apps installed and functional

‣ Ensure network access is configured in accordance

with job description– including remote access rights

‣ Distribute handbook and/or other policies and require

employee to sign acknowledgement of receipt

‣ TRAIN employee on confidentiality/e-security

policies and permissible access, use, and

disclosure of info

ONBOARDING DATA SECURITY PROCEDURES

NEW HIRE CHECKLIST


‣ Access rights. David is solely responsible for

selling/marketing products in the Midlands. But his

username/password to get on the company’s internal

networks give him access to everything– R&D, customer

accounts/payment data, competitive data for other

markets, company credit/routing numbers, etc.

‣ Devices. The company lets David use his own

laptop/phone for work purposes. He’s supposed to install

some security software, but no one checks or coordinates

that process.

‣ VPN. Since he travels so much, David is provided with

VPN rights to access the company’s networks remotely

from the road or from his home, with no restrictions on the

device being used and no change in log-in requirements

from ordinary network access.

ONBOARDING DATA SECURITY PROCEDURES

COMMON SCENARIOS & MIS-STEPS


• Frequent training on security policy

• Periodic updates/workshops on security practices in the workplace

• Recognizing and reporting potential security risks

• Password complexity and management

• Proper handling & disposal of confidential documents & information

• Third-party access to work spaces

• Email authentication procedures (the “social engineering” problem)

• Communicate about security threats as they are identified and addressed

• Make information security duties part of the job description

EMPLOYMENT PHASE DATA SECURITY PROCEDURES

EMPLOYMENT CHECKLIST


‣ Bad passwords. David’s password is his wife’s name and their

wedding date—the same password he uses for everything else.

(Remember the VPN…)

‣ Document management. When David needs to work from

home, he emails (unencrypted) documents to his personal email

account to avoid going through the VPN. He also throws

documents in the trash when he’s done.

‣ Devices. David’s kids know the password to his work tablet so

they can get online when his wife is using the family computer.

One kid loses the tablet on a family trip, so David just buys

another and loads it with data using a USB drive.

‣ Vendors. David is working with a vendor to do a customer

analysis, and a customer intelligence file kept on the company

intranet is too big to send via email. He loads it on his personal

Google Drive account and sends a link to the vendor.


COMMON SCENARIOS & MIS-STEPS


‣ Obtaining confidential info by manipulation of legitimate

users “users are the weak link in security”

‣ Generally involve communications with the indicia of

legitimacy to people who may be tricked into disclosing

or providing data or access to other internal networks

‣ Sometimes it only takes one hook into the company’s

network to set off a data breach chain

‣ Example: John Podesta

‣ What can be done? Users must be familiar enough

with security procedures to identify suspicious activity,

and must know a verifiable and trusted person to contact

with questions or concerns.


SOCIAL ENGINEERING


• Posed as Tracy from I/T and wanted Carl to provide his

password for strength testing. He would not immediately

respond but offered to call me back after I sent him an

email request. We then sent him a “spoofed” email

message asking to call 585-721-0159 (cell phone of Jeff

Thon, xDefenders). Carl called back immediately and

provided his password.

• We called Tracy and posed as Steve of a Sister Company

and told him that our password was not working and we

needed another. Tracy gave us a temporary password.

• We called Dave and posed as Matt (learned that Matt

handles DNS changes from Tracy) and told him that we

need a new password with 8 characters for the Active

Directory roll-out. We asked for the current password and

he gave us them.


SOCIAL ENGINEERING: HOW A HACKER WORKS


‣ Require employee to surrender ALL company devices

(phone, tablet, laptop, external storage, etc.) immediately

upon receiving notice of resignation/termination

‣ Immediately disable all electronic access to company

networks, devices, etc. (remote wipe if necessary)

‣ Require employee to return ALL hard-copy documents or

other employer property and sign acknowledgement

confirming all has been returned

‣ Provide escort/supervisor for offboarding process

‣ Remind employee in writing of restrictive covenants and

provide duplicate copies

‣ Consider IT audit of network activity

OUTBOARDING DATA SECURITY PROCEDURES

TERMINATION CHECKLIST


‣ Work the notice. David unexpectedly gives his two

weeks’ notice. The company lets him keep working and

doesn’t restrict his electronic access to internal networks.

‣ Keep the devices. David was a BYOD employee; he

used a personal iPhone and iPad for work. Someone is

supposed to remotely wipe them, but he said he deleted

everything off them, so nothing gets reviewed.

‣ Bad blood. David’s company tells him he’s fired when he

tries to resign. His manager is busy and doesn’t promptly

call IT to cut off his network rights. David still has VPN

access 3 days later.

‣ Vendors. David forgets to get in touch with the 3rd party

vendor to whom he sent the client intelligence file. The

vendor’s rep gets mad because they never got paid.

OUTBOARDING DATA SECURITY PROCEDURES

COMMON SCENARIOS AND MIS-STEPS


1. Assemble a response team‣ Decision-makers (key executives)

‣ Legal

‣ Information Security/Technology

‣ PR/Communications

‣ Designated Spokesperson(s)

‣ 3rd party vendors?

2. Stop the bleeding

3. Gather the facts to assess the damage

4. Consider legal vs. PR obligations

5. Come with a plan for mitigating/addressing

the breach

IF A BREACH OCCURS

STEP 1: ASSESS THE SITUATION


1. This is what happened…

2. This is how it happened…

3. This is what we’ve done to stop it…

4. This is what we’re doing to protect you/those harmed...

5. This is what we’re doing to help make sure it never

happens again…

6. Last but not least:

We’re sorry for any damage/concern/trouble this may

have caused.

IF A BREACH OCCURS

STEP 2: DEVELOP MESSAGE TO STAKEHOLDERS

P.S. Always tell the truth.


Communications should be timely and coordinated

‣ Board Members, key benefactors or partners

‣ Officials: elected or regulatory officials, law enforcement as

appropriate

‣ Employees...all of them

‣ Those affected/harmed: customers, patients, members,

employees

‣ Media: affirmative response if reportable market event

(public company) or high likelihood of coverage; otherwise,

prep media statement for response

‣ Notification options: depend on type of threat: email,

letter, phone call, website, media, social media

IF A BREACH OCCURS

STEP 3: DECIDE WHO TO TELL AND HOW TO TELL THEM


‣Monitor damage and consumer response

‣Assess likelihood of any continuing risks and alert mechanism

to ensure damage is stopped

‣Online: Social media, blog posts, chat rooms

‣Provide forum for public/customer questions, comments and

complaints (i.e. call center)

‣Update communications as needed and appropriate

‣Learn from the experience and update policies, practices, and

training accordingly

IF A BREACH OCCURS

STEP 4: MONITOR AND IMPROVE


‣ Cybersecurity isn’t just a problem for big businesses, and

it isn’t just the job of IT

‣ Processes and technology are important safeguards, but

employees play the most critical role

‣ Well-defined, company-specific policies + regular,

meaningful training go a long way to minimize risks

‣ HR/management play critical role in communicating

employee responsibilities and demanding accountability

‣ CONSIDER AN AUDIT if there is any doubt about how

well your policies/procedures guard against today’s risks

THE BIG PICTURE


Jimmy Byars

803-540-2051

[email protected]

QUESTIONS/COMMENTS?

Cesar Burgos

803-540-2093

[email protected]

mailto:[email protected]

mailto:[email protected]

Hot Topics in Cybersecurity & Employee Privacy · 2017-11-13 · ‣Keylogger - logs sequential...

Documents

Transcript of Hot Topics in Cybersecurity & Employee Privacy · 2017-11-13 · ‣Keylogger - logs sequential...