Nearly 400 Dairy Queen Locations Infected with Backoff Malware · 2014-11-13 · 300 Stores in 20...
Transcript of Nearly 400 Dairy Queen Locations Infected with Backoff Malware · 2014-11-13 · 300 Stores in 20...
Nearly 400 Dairy Queen Locations
Infected with Backoff Malware
Access to Undisclosed Number of Customer Name, Payment Card Numbers, and Expiration Dates
h"p://www.esecurityplanet.com/print/network6security/dairy6queen6acknowledges6major6credit6card6breach<
300 Stores in 20 States
Infected with Malware Payment Card Data Exposed
Late September 216 Stores
Infected with Malware Payment Card Data Stolen
October 10, 2014 POS Systems Compromised
Malicious Software Certain Debit & Credit Cards
Compromised
December 2013 Personal Information Stolen
6,300 Nashville Teachers Former State Employee
April & June 2014 HIPPA Data Compromised
4.5 Million Individuals Affected Mandiant (China)
! 10x<more<valuable<than<Credit<Cards<on<the<Black<Market<
! Cyber<Criminals<increasingly<targeDng<HealthCare<market<
! Medical<idenDty<theF<not<immediately<idenDfied<by<paDent<or<provider<
! Years<to<use<credenDals<
MEDICAL(DATA…(
"We've<become<entrenched<in<an<ever6escalaDng<ba"le<to<secure<our<systems<from<a<determined<and<increasingly<capable<enemy,”<
Mark%Bengel%Chief%Informa2on%Officer%
State%of%Tennessee%
10/1/2014%
Defining your Strategy
What is at “stake”
• Federal and Commercial Sectors
www.axiostec.com<<
What are your “key impacts”
• Intellectual Property
• Patient/Financial/Employee Data
• Manufacturing Processes
Military Application: “Key Cyber Terrain”
www.axiostec.com<<
Responsibility
• Not a “technical math problem’
• Does not only rest on CIO/CISO/IT experts
• Key operational leaders i.e., CEO/COO/CFO must be fully engaged – Aviation Safety
– Installation Physical Security
– Nuclear Surety
www.axiostec.com<<
Operational Assessments
• Choose your battles
• Everything cannot be protected
• Identify “showstoppers” and “crown jewels”
Military Application: Commanders and staff fully engaged/aware
www.axiostec.com<<
The Fix
• Requires constant attention
• Not static, adversary sophisticated and savvy
• Continuous “risk oversight” at all levels
Military Application: Adaptive planning and Common Operational Picture
www.axiostec.com<<
CyberSpecialist.Group.2.10/30/2014.
My#Part#FINALLY!!#
CyberSpecialist.Group.2.10/30/2014.
Obligatory.disclaimer.
To.the.best.of.our.knowledge,.all.informaDon.included.here.falls.under.the.fair.use.or.public.domain.guidelines.of.copyright.law.in.the.United.States..We.strive.for.accuracy.but.cannot.be.held.responsible.for.any.errors.in.informaDon.featured.in.the.slides.or.incorrect.aIribuDons..CYBER.SPECIALIST.GROUP.does.not.represent.or.warrant.that.the.informaDon.on.this.site.is.complete.or.current.and.while.CYBER.SPECIALIST.GROUP.uses.reasonable.efforts.to.include.accurate.and.up.to.date.informaDon.in.the.Site,.CYBER.SPECIALIST.GROUP.makes.no.warranDes.or.representaDons.as.to.its.accuracy..CYBER.SPECIALIST.GROUP.assumes.no.liability.or.responsibility.for.any.errors.or.omissions.in.the.content.of.the.Site..The.quotes,.arDcles,.news.and.views.are.not.necessarily.representaDve.of.the.views.of.CYBER.SPECIALIST.GROUP..Some.slides.may.include.content.considered.inappropriate.by.some.standards.for.some.age.groups..We.take.no.responsibility.for.filtering.content.based.on.any.standards.of.morality,.religion,.or.poliDcs..This.site.and.its.contents.is.provided.on.an.“as.is”.basis..Unless.specifically.stated.otherwise.on.the.CYBER.SPECIALIST.GROUP,.we.make.no.representaDons.or.warranDes.of.any.kind.with.respect.to.this.site.or.its.contents..CYBER.SPECIALIST.GROUP.disclaims.all.such.representaDons.and.warranDes,.whether.express.or.implied,.including,.but.not.limited.to,.warranDes.of.merchantability.and.fitness.for.a.parDcular.purpose..CYBER.SPECIALIST.GROUP.is.not.liable.for.any.damages,.whether.compensatory,.direct,.indirect,.incidental,.special,.or.consequenDal,.arising.out.of.or.in.connecDon.with.the.use.of.the.Cyber.Specialist.Group.site.or.the.informaDon.thereon..If.and.to.the.extent.any.state.does.not.permit.the.exclusion.or.limitaDon.of.liability.for.consequenDal.or.incidental.damages,.CYBER.SPECIALIST.GROUP’s.liability,.in.such.state,.shall.be.limited.to.the.fullest.extent.permiIed.by.law..Many.of.the.images.that.have.been.used.in.the.website.are.Royalty.Free.images.that.CYBER.SPECIALIST.GROUP.is.fully.permiIed.to.use..Other.images.have.been.sourced.directly.from.the.Public.domain,.from.where.in.most.cases.it.is.unclear.whether.copyright.has.been.explicitly.claimed..Our.intenDon.is.to.combine.informaDon.that.has.been.placed.in.the.public.domain.together.with.images.that.have.been.placed.in.the.public.domain.to.create.a.visually.and.intellectually.pleasing.whole..Our.intenDon.is.not.to.infringe.any.arDst’s.copyright,.whether.wriIen.or.visual..We.do.not.claim.ownership.of.any.image.that.has.been.freely.obtained.from.the.public.domain..In.the.event.that.we.have.freely.obtained.an.image.or.quotaDon.that.has.been.placed.in.the.public.domain.and.in.doing.so.have.inadvertently.used.a.copyrighted.image.without.the.copyright.holder’s.express.permission.we.ask.that.the.copyright.holder.writes.to.us.directly.at.CyberSpecialist.Group.com,.upon.which.we.will.contact.the.copyright.holder.to.request.full.wriIen.permission.to.use.the.quote.or.images..The.collecDon,.arrangement.and.assembly.of.content.on.this.site.are.the.exclusive.property.of.CYBER.SPECIALIST.GROUP.and.are.likewise.protected.by.copyright.and.other.intellectual.property.laws...
Brian.D..Brown.CyberSpecialist.Group.www.CyberSpecialistGroup.com.
404.849.3004.
CyberSpecialist.Group.2.10/30/2014.
Brian#is#a#na3onally#recognized#expert#in#Network#Security#and#Privacy#(Cyber)#exposures#and#Insurance.#He#has#worked#in#the#Cyber#field#for#over#a#decade#and#had#a#hand#in#draKing#the#first#Cyber#products.#He#also#developed#and#taught#the#first#CIC#classes#on#eLBusiness#risk#and#insurance#responses.#.
Having#worked#with#both#na3onal#brokers#and#carriers,#he#brings#a#unique#and#broad#perspec3ve#to#the#subject.#In#addi3on#to#Cyber#exper3se,#Brian#was#an#account#execu3ve#at#na3onal#brokers#so#has#a#broad#range#of#knowledge#and#skills#in#all#areas#of#property#and#casualty#insurance.#He#has#been#instrumental,#in#his#career,#in#developing#successful,#innova3ve,#cuQng#edge#programs#and#products#for#both#insurance#carriers#and#brokers..
Brian#is#an#ac3ve#member#of#the#PLUS#Southeastern#Chapter#and#a#regular#speaker#for#PLUS#and#RIMS#events#and#seminars.#He#is#also#a#published#author#in#Property#Casualty#360#and#the#American#Bar#Associa3on#magazine.#In#the#last#month#he#has#an#ar3cle#the#Texas#magazine,#The#Insurance#Record#–#September#4,#2014#and#another#na3onally#in#The#Insurance#Journal#–#September#22,#2014.#.
In#his#spare#3me#Brian#is#a#freelance#fine#ar3st#and#a#Dad#to#his#three#children#and#current#resides#in#Atlanta,#GA..
What#you#may#be#interested#in#with#regard#to#Cyber#Insurance#
• Quick#review#of#the#coverage#forms##
• Review#of#Loss#Data#(what#is#available)#• The#course#of#liability#through#vendor#rela3onships#
#
• Current#Cyber#Insurance#marketplace#
End#CyberSpecialist#Group#L#10/30/2014#
CyberSpecialist.Group.2.10/30/2014.
CyberSpecialist.Group.2.10/30/2014.
Coverage# Limits# Comments#
Cyber#Liability# $1,000,000+. Very.few.losses.have.occurred.as.it.is.difficult.to.prove.damages..Recently,.however,.cases.have.had.more.success..As.the.liDgaDon.environment.evolves.more.successful.third.party.suits.are.expected..
Crisis#Management# $250,000.2.$1,000,000+. Most.Cyber.losses.currently.occur.as.1st.party.losses.where.the.client.suffers.a.Cyber.event.involving.“SensiDve.Personal.InformaDon”.and.must.noDfy.the.affected.individuals.as.quickly.as.possible,.typically.mandated.by.state.law...SensiDve.Personal.InformaDon.is.defined.in.most.state.law.as:.2 An.individual’s.first.name.(or.iniDal).and.last.name.in.combinaDon.with:.
o Social.Security.Number.o Driver.License.number.o Credit.Card.combined.with.security.(Password.or.PIN).
2 Physical.or.mental.healthcare.informaDon.(Note:.There.is.typically.a.sDpulaDon.that.SensiDve.Personal.InformaDon.is.not.subject.to.the.state.noDficaDon.law.if.the.informaDon.is.encrypted.)...Besides.the.cost.of.noDficaDon,.when.a.Cyber.event.occurs.other.costs.to.the.company.are.necessary:..1..The.cost.to.invesDgate.what.occurred.(forensic.costs),.2..Legal.expenses,.and.3..The.cost.for.public.relaDons...These.coverages.may.be.included.in.Crisis.Management.and.typically.carry.separate.sub2limits..
Fines#and#Penal3es# $250,000+. The.next.most.likely.loss.to.occur.are.fines.and.penalDes..These.fines.and.penalDes.originate.from.the.federal.level.(HIPAA),.state.laws.and.from.the.payment.card.industry.(PCI).should.a.Cyber.event.occur..Typically,.the.cost.for.higher.limits.for.fines.and.penalDes.is.minimal.so.companies.should.strongly.consider.purchasing.limits.in.excess.of.the.usual.$250,000.limit.....
Media#Liability# Usually.same.limit.a.Cyber2Liability.limit.
This.is.a.coverage.that.compliments.the.General.Liability.adverDsing.exclusion..Since.it.is.easy.for.a.company.to.become.“…in.the.business.of.adverDsing…”.on.the.internet..Typically,.coverage.is.limited.to.on2line.content..
Network#Extor3on# Usually.same.limit.a.Cyber2Liability.limit.
This.is.coverage.for.the.money.demand.from.the.aIacker.if.they.have.compromised.the.network..
hIps://mail.google.com/mail/u/0/#search/the+insurance+record/148897e66cfd74f6..
CyberSpecialist.Group.2.10/30/2014.
Cyber#Forms#• Third#Party#Liability#• Crisis.Management.
– $$.Amount.or.#.of.Individuals?.
– Sublimit.for:.• Forensics.• Legal.• Public.RelaDons.
• Regulatory.Fines.and.PenalDes.– Defense.or.coverage.for.
PenalDes?.
• Media#Coverage#– Online.content.only?.
• ExtorDon.– What.is.this?.
• Business.InterrupDon.–.Extra.Expense.– What.is.the.real.exposure?.
• Data.RestoraDon.– Is.Data.backed.up.daily?.
Exposure?.
• Other.coverages.–.System.Breakdown,.AddiDon.of.BI/PD.coverage.
BACK.CyberSpecialist.Group.2.10/30/2014.
Losses.• The.average.number.of.records.lost.was.2.3.million.
• Average.costs.• .Claim.payout.2.$3.5.million.
• Crisis.Services.2.$737,473.• Legal.defense.was.$574,984.• SeIlements.2.$258,099.
Claim.Payout.is.the.esDmate.–.most.of.the.losses.had.not.been.fully.developed.
CyberSpecialist.Group.2.10/30/2014.
..NetDiligence®.2013.Cyber.Liability.&.Data.Breach.Insurance.Claims,.A.Study.of.Actual.Claim.Payouts.
..NetDiligence®.2013.Cyber.Liability.&.Data.Breach.Insurance.Claims,.A.Study.of.Actual.Claim.Payouts.CyberSpecialist.Group.2.10/30/2014.
..NetDiligence®.2013.Cyber.Liability.&.Data.Breach.Insurance.Claims,.A.Study.of.Actual.Claim.Payouts.
BACK#CyberSpecialist.Group.2.10/30/2014.
Organiza3ons#should#include#…protec3ons#around#data#breaches#in#their#vendor#contract…because#data#breach#no3fica3on#statutes…make#it#clear#that#the#buck#stops#with#the#financial#ins3tu3on#(or#any#other#customer#facing#organiza3on)#
Who.is.UlDmately.Responsible.
NOPE hIp://searchfinancialsecurity.techtarget.com/Dp/Data2breach2protecDon2ImplemenDng2vendor2breach2
safeguards.
CyberSpecialist.Group.2.10/30/2014.
WriIen.or.electronic.noDce.must.be.provided.to.vicDms.of.a.security.breach,.within.he.most.expedient.Dme.possible.and.without.unreasonable.delay.unless.disclosure.impedes.law.enforcement.invesDgaDon.or.any.measures.necessary.to.determine.the.scope.of.the.breach.and.restore.the.reasonable.integrity.of.the.data.system...If.an.enDty.is.required.to.noDfy.more.than.1,000.persons.at.one.Dme,.must.report.to.all.CRAs.and.credit.bureaus.that.compile.and.maintain.files.on.consumers.of.the.Dming,.distribuDon.and.content.of.the.noDces.
Tennessee#Breach#Law#Provision#
hIp://www.mintz.com/newsleIer/2007/PrivSec2DataBreachLaws202207/state_data_breach_matrix.pdf.
Back#
CyberSpecialist.Group.2.10/30/2014.
Current#Market#for#Cyber.• ACE.–.$25.million.in.primary.capacity..
• AIG.2.$25.million.in.primary.capacity..
• Allied.World.Assurance.Company.–.$5.million.in.primary.capacity..
• Arch.–.$10.million.in.primary.capacity..
• Argo.Pro.2.$5.million.in.primary.capacity..
• Axis.–.$10.million.in.primary.capacity..
• Beazley.2.$25.million.in.primary.capacity..
• Chubb.2.$25.million.in.primary.capacity..
• CNA.2.$10.million.in.primary.capacity..
• Crum.&.Forster.2.$5.million.in.primary.capacity..
• Hudson.2.$10.million.in.primary.capacity..
• Ironshore.–.$15.million.in.primary.capacity..
• Liberty.InternaDonal.2.$10.million.in.primary.capacity..
• London.2.various.syndicates.with.different.capaciDes..
• Navigators.–.$10.million.in.primary.capacity..
• OneBeacon.–.$10.million.in.primary.capacity..
• Philadelphia.–.$5.million.in.primary.capacity..
• The.Hartord.2.$10.million.in.primary.capacity..
• Travelers.–.$10.million.in.primary.capacity..
• XL.2.$10.million.in.primary.capacity..
• Zurich.–.$5.million.in.primary.capacity..
CyberSpecialist.Group.2.10/30/2014.
Board#of#Directors,#Stockholders#
“New.NEW”.Premium.
Chief#Underwri3ng#Officers#
“We.really.don’t.know.what.the.threats.are,.compeDDon.is.requiring.liIle.informaDon,.rates.seem.way.too.low,.and.what.about.the.catastrophe?.
CyberSpecialist.Group.2.10/30/2014.
Board#of#Directors,#Stockholders#
“New.NEW”.Premium.
Chief#Underwri3ng#Officers#
“We.really.don’t.know.what.the.threats.are,.compeDDon.is.requiring.liIle.informaDon,.rates.seem.way.too.low,.and.what.about.the.catastrophe?.
Back#CyberSpecialist.Group.2.10/30/2014.
Collected#Helpful#Websites#• hIp://advisen.com..• hIp://beIerley.com.• hIp://bna.com..• hIp://bostoncompuDng.net..• hIp://datalossdb.org..• hIp://eperils.com/pdf/
cyber_terms.pdf..• hIp://wc.gov..• hIp://idthewcenter.org..• hIp://www.IRMI.com..• hIp://privacycg.com..• hIp://privacyinternaDonal.org..• hIp://privacyrights.org..
• hIp://rbs2.com/privacy..
• hIp://www.eperils.com..
• hIp://www.ic3.gov..
• hIp://www.jusDce.gov/opcl/privacyact1974.htm..
• hIp://www.ncsl.org/Default.aspx?TabId=13489..
• hIp://www.ponemon.org..
• hIp://www.privacy.ca.gov..
• hIp://www.sophos.com..
• hIp://www.symantec.com..
• hIp://www.verizonbusiness.com..
• hIps://www.javelinstrategy.com..
• hIps://www.pcisecuritystandards.org.
Copyright.2.Brian.D..Brown,.CyberSpecialist.ConsulDng.2.For.Myron.Steves.
17.
?’s#CyberSpecialist.Group.2.10/30/2014.