the canadian threat landscape - fei canada · the canadian threat landscape ... © mandiant, a...
TRANSCRIPT
1 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved.
The Canadian Threat Landscape FEI Canada
2 © Mandiant, a FireEye Company. All rights reserved.
Threat Actor Motivations Nuisance
Objective
Annoyance &
Ransom
Example Botnets &
DDoS
Targeted
Character Automated /
Conspicuous
3 © Mandiant, a FireEye Company. All rights reserved.
Threat Actor Motivations Nuisance Hacktivism
Objective
Annoyance &
Ransom
Defamation,
Press & Policy
Example Botnets &
DDoS
Website
Defacements
Targeted
Character Automated /
Conspicuous Conspicuous
4 © Mandiant, a FireEye Company. All rights reserved.
Syrian Electronic Army Compromise Case Study
https://webmail.victim.co (notice the missing m)
6 © Mandiant, a FireEye Company. All rights reserved.
Syrian Electronic Army Compromise Case Study
“The fake tweet erased $136 billion in equity market value”
-Nikolaj Gammeltoft, Bloomberg News
7 © Mandiant, a FireEye Company. All rights reserved.
Threat Actor Motivations Nuisance Hacktivism Cyber Crime
Objective
Annoyance &
Ransom
Defamation,
Press & Policy
Financial
Gain
Example Botnets &
DDoS
Website
Defacements
Bank and
Credit Card
Theft, Insider
Trading
Targeted
Character Automated /
Conspicuous Conspicuous Opportunistic
8 © Mandiant, a FireEye Company. All rights reserved.
Threat Actor Motivations Nuisance Hacktivism Cyber Crime Data Theft
Objective
Annoyance &
Ransom
Defamation,
Press & Policy
Financial
Gain
Economic,
Military
Political
Example Botnets &
DDoS
Website
Defacements
Bank and
Credit Card
Theft, Insider
Trading
Advanced
Persistent
Threat
Targeted
Character Automated /
Conspicuous Conspicuous Opportunistic Persistent
9 © Mandiant, a FireEye Company. All rights reserved.
The Chinese government is known to compromise global companies for the following reasons:
1. Theft of intellectual property
2. Inside knowledge of mergers, acquisitions, and divestments
3. Modernization of processes and technologies
4. Political reasons – political activists, spread of democracy, etc.
5. Amassing personal information for all residents of certain countries
Chinese Government Motivations
10 © Mandiant, a FireEye Company. All rights reserved.
Threat Actor Motivations Nuisance Hacktivism Cyber Crime Data Theft Disruption
Objective
Annoyance &
Ransom
Defamation,
Press & Policy
Financial
Gain
Economic,
Military
Political
Escalation,
Destruction
Example Botnets &
DDoS
Website
Defacements
Bank and
Credit Card
Theft, Insider
Trading
Advanced
Persistent
Threat
Destroy
Infrastructure
Targeted
Character Automated /
Conspicuous Conspicuous Opportunistic Persistent Conflict Driven
12 © Mandiant, a FireEye Company. All rights reserved.
Identification and protection of our most critical assets
Annual “red teaming” of environments (internal and external networks, social engineering, and web
applications)
Requiring dual factor authentication on all remote access (VPN, Citrix, Terminal Services, and webmail)
Deployment of application whitelisting technology to critical assets (domain controllers, mail servers,
file servers, etc.)
Network compartmentalization of critical assets and data
Limit access to system backups to prevent intentional destruction
Deployment of advanced malware detection/prevention technology at the perimeter (web and email)
Searching for host and network-based indicators of compromise on a periodic basis
Inventorying service accounts and resetting passwords on a periodic basis
Examples of Ways to Counter Attacks
13 © Mandiant, a FireEye Company. All rights reserved. © Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
QUESTIONS?
Charles Carmakal
Vice President
+1 864 735 7242
The Emerging Cybersecurity Threat -
Legal and Regulatory Considerations
FEI Canada September 16, 2015
Adam Kardash
Partner, Privacy and Data Management
Osler, Hoskin & Harcourt LLP
Privacy Liability Drivers
Series of drivers fueling the increased prominence of
privacy issues/risk, including:
Rapid developments in information technology
Explosion in the volume of data, “data use”
Data Ubiquity
Sophistication and breadth of cybersecurity threat
Legislative drivers
Enhanced Regulatory Scrutiny
Class Action threat
15
Statutory Safeguarding Obligations Safeguarding provisions require organizations to take
reasonable technical, physical and administrative
measures to protect personal information against loss
or theft, as well as unauthorized access, disclosure,
copying, use, modification or destruction.
16
Private Sector Privacy Legislation Use Restrictions
General Prohibition on the use of personal
information without consent (subject to limited
exceptions). Organizations may only collect, use or disclose
personal information for purposes that a
“reasonable person would consider appropriate” in
the circumstances.
17
What is a “reasonable” safeguard?
“The reasonableness of security measures and their implementation is measured by whether they are objectively diligent and prudent in all of the circumstances. To acknowledge the obvious, “reasonable” does not mean perfect. Depending on the situation, however, what is “reasonable” may signify a very high level of rigour.”
(See BC Investigation Report F06-01)
18
What is a “reasonable” safeguard? Cont’d. Findings by Privacy regulatory authorities provide the
following list for organizations considering the reasonableness of their safeguards:
Whether the security risk was foreseeable; The likelihood of damage occurring; The seriousness of the harm; The sensitivity of the personal information involved; The cost of preventative measures; and Relevant standards of practice.
Note: Standards set “minimum” set of expectations. (See, for example, Alberta Investigation Reports P2006-IR-005, P2008-IR-002,
and OPC and OIPC Alberta Report of an Investigation into the Security, Collection and Retention of Personal Information TJX Companies Inc. /Winners Merchant International L.P)
19
Security Breach Notification Requirements Alberta’s Personal Information Protection Act
Includes statutory obligation to notify the Alberta Commissioner of a breach where there is a real risk of significant harm to an individual.
Alberta Commissioner has authority to require organizations to notify affected individuals of a breach.
All security breach decisions posted on OIPC website
20
Security Breach Notification Requirements Cont’d. Amendments to PIPEDA
Includes an obligation for organizations to report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstance to believe that the breach creates a real risk of significant harm to an individual.
Also requires notification to individuals and other organizations. Must maintain a record of all incidents, accessible by Privacy Commissioner.
Manitoba’s Personal Information Protection and Identity Theft Prevention Act (not in
force) An organization must notify an individual if personal information about the
individual that is in its custody or under its control is stolen, lost or accessed in an unauthorized manner.
21
Impact of a Security Breach Notification Requirements Enhanced transparency/reporting about security incidents within
organizations. More notifications to affected individuals about security incidents. More media reports and general awareness about information security (or
lack thereof). More investigations/posted decisions by privacy regulatory authorities. Increased litigation risk.
Tort of Invasion of Privacy Bell Class Action: Misuse of data
More proactive efforts by organizations to address personal information security concerns.
Increased costs to organizations due to all of the above.
22
Lessons Learned Be prepared to respond to the following four questions
during a privacy regulatory investigation of a security incident:
Show us your organization’s security incident protocol, and how you implemented it?
Show us your organization’s information security governance program?
Show us evidence of your regular compliance monitoring.
Show us evidence of regular training and awareness.
23
Lessons Learned Cont’d. Significance of effective security incident response plan cannot be
overstated AccessPrivacy Security Incident Workshop
78% of participants described their organization as having an open and honest culture of reporting privacy breaches
80% of participants indicated that their organization had a data breach response plan, yet only 51% were confident that their organization's privacy breach response plan would be sufficient to respond to a public, large scale security incident
57% of participants indicated that their organization had an incident tracking program in place that facilitates tracking and reporting of privacy breaches
24
MARSH
A Structured Approach to Cyber Risk
• Dependency on Vendors
(cloud, mobile, hosting, etc…)
• Domicile of Customers
• Compliance with Regulatory
Requirements (including PCI)
• Critical Asset Inventory (what
protections are in place?)
• Conduct platform operational
maturity assessment
• Reliance on technology to
conduct business operations?
• Review existing risk
assessment material and
identify top cyber risk
elements
• Conduct interviews with
internal business units and
operational departments
• Based on the above, and
understanding of the
business, create a common
risk taxonomy with cyber risk
categories and the cyber risk
elements within each
category
• Prioritize risk categories in
terms of economic impact
and frequency (likelihood)
• Generate loss scenario’s
based on the priority risk
categories
• Model the costs of a privacy
breach, if relevant
• Quantify economic loss
stemming from an interruption
to the business due to a
technology failure (internal or
external – vendor)
• Based on the outcomes , seek
to identify the root causes
• Align largest risks with risk
appetite
• Create risk mitigation
recommendations for the
highly exposed risk elements
“What does the organization’s current posture look like?
“What are the top risks which could materially impact the
organization?
“How can we mitigate these risks?”
“What are the economic implications of the risks
identified?
Risk Quantification Understanding the risk
exposure Risk Assessment 1 2 3
Recommendations and
prioritization 4
MARSH
Taxonomy of Cyber-Vulnerable Assets
An asset is any data, device, or other component of the environment that supports information-related activities. An asset’s loss potential stems from the value it represents and/or the liability it introduces to an organization.
Financial Assets
Corporate IP
Confidential Data / Trade
Secrets
General Corporate
Data
Third-Party Data
B2B – Confidential
Data
B2C - Personal
Data
Technology Infrastructure
Operational Technology
Core Information
Systems
General Information
Systems
Outsourced Systems
Relationship Capital
B2C - Brand & Reputation
B2B - Commercial
Relationships
Cyber-Exposed Physical Assets
MARSH
Marsh has a four step process to think about cyber risk holistically
32
1 2 3 4 Assessment Mapping Modelling Insurance Audit
• Conduct a cyber risk assessment
to understand the consequences
of a cyber event from an impact
and complexity perspective
• Estimate the frequency and
severity of events to prioritize
• Calculate impact of a record
breach
• Design the most effective and
efficient insurance program
MARSH
2
Note: In 1 out of every 100 Breach Events or 99% of the time the costs will be these amounts or lower.
33
IDEAL Cyber – Privacy Event Model: Step 3 Range of Outcomes
MARSH
Note: Costs do not include Business
Interruption and/or costs to recreate the data.
34
IDEAL Cyber – Privacy Event Model: First Party Costs
MARSH
IDEAL Cyber – Privacy Event Model: Third Party Costs
Note: Card Reissuance Liability will only be
displayed with PCI as Record Type
35
MARSH 36 September 17, 2015
Step 4: CYBER RISK INSURANCE AUDIT
Privacy & Cyber Perils Property General Liability
Traditional
Fidelity
Bond
Computer Crime
E&O
Special
Risk
Broad Privacy &
Cyber Policy
Destruction, corruption or theft of your electronic information assets/data due to
failure of computer or network
Information asset protection
Theft of your computer systems resources Information asset protection
Business Interruption due to a material interruption in an element of your computer
system due to failure of computer or network security (including extra expense and
forensic expenses)
Network Business Interruption
Business interruption due to your service provider suffering an outage as a result of a
failure of its computer or network security
Network Business Interruption
(sublimitted or expanded based upon
risk profile)
Indemnification of your notification costs, including credit monitoring services Privacy Liability (sub-limited)
Defense of regulatory action due to a breach of privacy regulation Privacy Liability (sub-limited)
Coverage for Fines and Penalties due to a breach of
privacy regulation
Privacy Liability
Threats or extortion relating to release of confidential information or breach of
computer security
Cyber Extortion
Liability resulting from disclosure of electronic information & electronic information
assets
Network Operations Security
Liability from disclosure confidential commercial &/or personal information (i.e.
breach of privacy)
Privacy Liability
Liability for economic harmed suffered by others from a failure of your computer or
network security (including written policies & procedures designed to prevent such
occurrences)
Network Operations Security
Not covered Covered See notes Dependant upon specifics of claims, may not be covered
MARSH
This document and any recommendations, analysis, or advice provided by Marsh (collectively, the “Marsh Analysis”) are intended solely for the entity identified
as the recipient herein (“you”). This document contains proprietary, confidential information of Marsh and may not be shared with any third party, including
other insurance producers, without Marsh’s prior written consent. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on
our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should
consult your own professional advisors. Any modeling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be materially
affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. The information contained herein is
based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth in an agreement between you
and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party with regard to the Marsh Analysis
or to any services provided by a third party to you or Marsh. Marsh makes no representation or warranty concerning the application of policy wordings or the
financial condition or solvency of insurers or reinsurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage.
•Marsh is one of the Marsh & McLennan Companies, together with Guy Carpenter, Mercer, and Oliver Wyman.
•Copyright © 2014 Marsh Canada Limited and its licensors. All rights reserved. www.marsh.ca | www.marsh.com