Managing a Data Breach Prevention-Detection-Mitigation By Gerard Joyce Dun Laoghaire Sept 28th 2017

Robert Mueller FBI Director There are two types of organisations; those that have been hacked and those that are going to be hacked. Robert Mueller FBI Director

Overview Who We Are and What We Do What is a ‘Data Breach’? Prevention - Exercise 1 Detection - Exercise 2 Mitigation - Exercise 3 To Do List

Who We Are and What We Do Experienced Risk & Compliance Professionals Members of IRM, ACOI, ACCA, ISI... Involved in the Development of Standards We make a Governance, Risk & Compliance Solution called CalQRisk CalQRisk is used by 150+ regulated firms Including Brokers, Financial Advisors, Fund Management Companies, Fund Administrators, Credit Unions, Solicitors and Local Authorities

What is a ‘Data Breach’? Data that you are ‘controlling’ is accessed / viewed / altered by unauthorised persons. Data could be: Personal Identifiable Information (PII) Trade Secrets / Business Processes Intellectual Property Cause of Breach Could be intentional, criminal Could be accidental

September 22 2016: The company revealed that a “state-sponsored actor” stole data associated with some 500 million accounts from its servers in late-2014. Russian hackers are suspected to be behind the attack. Shortly after the breach announcement, a source familiar with the matter told ABC News that Yahoo only became aware of the data breach in July, after news reports of a hacker attempting to sell some 280 million accounts on the dark web.

Cyber Security firm FireEye say the global median time it takes to discover breaches is 99 days. (2016 data - down from 146 days in 2015. M-Trends 2017, a view from the front lines, p.47) The Equifax breach wasn’t discovered for 141 days.

Risk Assessment Data Breach Prevention Detection Mitigation Documented Policy Unauthorised Access Incident Response Data Breach Prevention Detection Mitigation

Exercise 1 What are the threats and what can you do to prevent them? Think Who? How? What?

Exercise 1 Who? Hackers and Hacktivists Disgruntled Employees Careless Employees Criminal Organisations Aggressive Competitors Hostile Nation States

Exercise 1 How? (What vulnerabilities will they exploit?) Unwitting Employees / Social Engineering Unpatched Flaws in Systems Less Secure Service Providers Insecure Cloud Storage Mobile Devices

Exercise 1 What? (What is of interest?) What are your ‘Crown Jewels’? Personal Data Customer Data Money Trade Secrets / Intellectual Property

Risk Controls – Data Breach Swiss Cheese Model Policy Unauthorised Access Procedures Code of Practice Training & Education Employee - Intentional Data Breach Checks Intrusion Prevention Employee - Unintentional Anti-Virus Software Strong Access Control IT Glitch Encryption Data Classification

Why Detection is Important Fines imposed will be proportional to the ‘Dwell Time’ The longer the theft is going on the more data gets stolen The quicker a breach is detected the quicker action can be taken to mitigate the impact.

Exercise 2 How would you know you have a breach? Think Who would recognise it first? (You, Your Customer…) What the signs might be Service Delivery - How might that be affected?

Exercise 2 How would you know you have a breach? Customers Tell You Service is Disrupted Unusual Traffic on your Network Credit Card Company Calls Data is Corrupted Your Intellectual Property appears “online”

Risk Controls – Data Breach Policy Monitor Feedback Unauthorised Access Procedures Measure Service Training & Education Monitor Network Traffic Employee - Intentional Checks Data Breach Intrusion Prevention Employee - Unintentional Anti-Virus Software Maintain Good Comms Strong Access Control IT Glitch Monitor Data Integrity Encryption Monitor Press / SocMed Data Classification

Mitigation – Be Ready to Respond Incident Response Plan More about this in a moment Before the Incident occurs Restrict ‘lateral movement’ in the Network (IT) Identify an individual to take charge Identify partners (3rd Party) that you might need Legal counsel ● Public Relations IT Forensics After the Incident – Review your policies and procedures

Exercise 3 What should be in an Incident Response Plan? Think Who do you call? What do you do, in what order? Who does what?

Data Breach Almost 157,000 TalkTalk customers had their personal details hacked. When the cyber-attack was revealed, TalkTalk said it did not know how many customers were affected, raising concerns that hundreds of thousands of customers could be at risk. The company was criticised for its lack of information and for failing to take precautions after being hacked twice before this year. Two teenage boys arrested 

Response Plan Incident Lead, Incident Team Individual Roles and Responsibilities Contact List of People that might need to be involved Protocols During a Breach How to assess scope of breach How to Collect Evidence How to stop the Data Loss Forms to Record Details / Action Communications (Internal, Customers, DPC, Press) Review – Learn from Incidents / Exercises

Notification (Art 33) Describe nature of the personal data breach Number of subjects concerned Categories and numbers of records Communicate name of the DPO / contact Describe likely consequences of breach Describe means taken / proposed to be taken to address Including mitigation of ‘side-effects’ Can provide information in phases Document breach and action taken.

Communication (Art 34) Where there is high risk to data subject, communicate to data subject without delay. Clear and plain language Nature of the breach Contact details for DPO / contact Likely consequences Measures taken Not required if Technical measures make info unintelligible Disproportionate. Can be a public communication

Risk Controls – Data Breach Policy Monitor Feedback Response Plan Unauthorised Access Procedures Measure Service Privacy Impact Training & Education Monitor Network Traffic Notification Plan Employee - Intentional Checks Data Breach Intrusion Prevention Communications Plan Employee - Unintentional Anti-Virus Software Maintain Good Comms Collect Evidence Strong Access Control IT Glitch Monitor Data Integrity Review Controls Encryption Monitor Press / SocMed Document Action Data Classification

To Do List Assign management responsibilities Identify all assets that need protection Conduct an impact assessment Review access rights incl. privilege access rights Review update/patching policy Review if malware detection up-to-date Policy & procedures for continuous monitoring of network Consider implementing intrusion detection tools Procedure for reporting ‘events’ Response Plan

Thank You gjoyce@calqrisk.com