HARDENING SOFT TARGETS

ADDRESSING CYBER SECURITY THREATS TO BUSINESSES AND LAW FIRMS

PRESENTED BY: Housekeeping

.Set mobile devices to slient or vibrate

.Return request for CLE Credit and completed evaluation to registration desk

.Please replace Art Ehuan with Edward Gibson on your evaluation form Our Presenters .Jennifer Daniels, Partner, Blank Rome LLP .Edward P. Gibson, J.D., Solicitor‐UK, CISSP, FBCS, Alvarez & Marsal, Senior Director, Forensic Technology Services .Mike McMullen, Anadarko, Global Information Security Manager .Joseph Speelman, Partner, Blank Rome LLP Our Presenters

. Jennifer Daniels Partner, Blank Rome LLP . Edward Gibson Solicitor‐UK, CISSP, FBCS, Alvarez & Marsal, Senior Director, Forensic Technology Services . Mike McMullen Anadarko, Global Information Security Manager . Joseph Speelman Partner, Blank Rome LLP Agenda The Problem . Cyber threat from Organized Crime and Nation‐State Actors . Target Profile . Types of Cyber Attacks Legal Landscape . United States . Europe Hardening the Corporation . Cyber Security Hardening Recommendations . Corporate C‐Level and Board Engagement . Incident Response Framework Future Trends . Weaponization of Cyber Space TYPES OF ATTACKS Threat Actors .Amateur .Black Hat and White Hat .“Hactivists” ‐ Financial Gain . ‐ Trade Secrets for the Organized Crime, the RBN Technical Advantage .Nation State Sponsored, the PRC .Cyber Terrorists In The News Remember Mafiaboy? Mafiaboy v. Yahoo, CNN, eBay, Dell, & (2000) Cyber threats from the recent past ((aa few years ago)ago)…… The first major distributed‐denial of service attack (DDoS) responsible for crippling some . Cyber crime in the past mostly of the internet's most popular websites was executed by the hands of a Canadian citizen involved unsophisticated attacks not old enough to drive. "Mafiaboy," a.k.a. 15‐ to deface websites of year‐old Michael Calce, set out to make a name for himself in February 2000 when he corporations and governments. launched "Project Rivolta," which took down . the website of the #1 search engine at the Notoriety and bragging rights time—and second‐most popular website— were the primary drivers for this Yahoo. Thinking it may have been a fluke, he malicious behavior. went on to batter the servers of CNN, eBay, Dell, and Amazon in a wave of highly‐ . Minimal involvement of publicized attacks that were the first to show the world how easily one kid can knockout Organized Crime and Nation‐State major websites. Calce was ultimately picked actors. up by Canadian police—while watching Goodfellas, allegedly—and plead guilty for hacking. He faced 3 years, but was sentenced to eight months in a juvenile detention center and ffdorced to donate $250 to chhiarity. In the News Corporations have myriad cyber criiiminal s to contend wiihth… . The consensus from both government and business is that cyber attacks against organizations will continue to increase for the foreseeable future. . It is estimated that the global cost of cyber crime is in the hundreds of millions to billions of dollars. . The costs are either direct or indirect due to revenue that organizations must spend to prepare, contain during a breach, or remediation after the event. Stratfor Hacked 12/2011 In the News Corporations have myriad cyber criminals to contend with… . In particular, the financial sector will continue to see expanded attacks from Organized Crime groups that have extensive resources to target small, medium, and large financial institutions. . Regardless of the size of the business, there are no organizations that are immune from cyber attack. Organized CiCrime groups are iitnteres tdted in the data that is stored/maintained or access to systems for monetary purposes. In the News

Nation‐State cyber threats are added to the mix… . Nation‐States are increasingly aggressive in their compromise of corporate and government systems for intellectual property, research and development information, and other data. . It is estimated that there are currently dozens of countries with cyber warfare capability (ff(offens ive ) around the glblobe with many more building capacity in the coming years. In the News

Nation‐State cyber threats are added to the mix… . The Nation‐State threat is the most difficult to identify and defeat due to the sophisticated nature of the adversary. . Nation‐State actors are tenacious, deliberate, and methodical in their approach to breaching an organization. . A Nation‐State actor can maintain access to an organization for years without detection. TARGET PROFILES Industries Under Cyber Attack in 2012

2% 2% 1%1% 1% 1% Energy Water Internet Facing 3% Commercial 3% Chemical 4% Critical Manufacturing 4% 41% Government 4% Nuclear Transportation 10% Communications Health Care 11% Banking and Finance 15% Dams Food and Agriculture IT Source: Industrial Control Systems Cyber Emergency Response Team Target Profile

Energy and Chemical Sector . The computing and network systems that are being targeted are classified as Industrial Control Systems (ICS). . ICS are targeted due to their ability to manage the systems of critical infrastructure. . A compromise of a corporation’s ICS will have a debilitating affect on the organization and potentially the targeted country. Target Profile Manufacturing . The intellectual property (IP) that a corporation develops is one of its most valuable assets and may be the sole purpose for its existence. . If the IP is stolen and developed elsewhere, the financial impact may be ruinous to the organization. . The example of American Superconductor offers a grievous example of the cost of IP theft. . American Superconductor’s share value dropped by 80% within 6 months of losing a major order to a manufacturer that acquired its IP. Target Profile Law Firms . Law firms provide a lucrative target for malicious intruders. The client data that is maintained by a law firm is the same information that is being managed/stored/protected by the law firms client. . If a cyber criminal can access the information from the law firm, they don’t need to breach the potentially more well protected client. . Cybersecurity has not traditionally been a core function of law firms and thus they are soft and easy targets for malic ious iiintrusion and theft. TYPES OF ATTACKS Types of Cyber Attacks

SQL Compromise . The SQL attack is used with dangerous efficiency to compromise networks. . The complexity of networks and lack of a robust information security framework in corporations provide for an easy entry into the corporate network. . A corporation that does not conduct ppproper configuration and patch management WILL be compromised with this attack, GUARANTEED. Types of Cyber Attacks Spear Phishing Compromise . Spear phishing is a directed attack that is conducted to elicit an individual in a corporation to open an attachment. . The action of opening the attachment will typically launch malicious software that is designed to compromise the system. . Once the malicious software is launched, it will exploit the system, steal user ID, passwords, create backdoors, and do a myriad of bad activity on the corporate network. . Spear phishing is very effective and the likelihood of success is high. Cyber Threat

.Coined the Advanced Persistent Threat .Spear Phishing . NOT a “random” attack . Sender appears as someone fam iliar . Targets specific organizations, and small groups of individuals . Designed to steal corporate secrets Company Attack Wave

. Began to appear in the fall of 2008 . Spring 2011 . Four separate attacks . Mimicked official press releases . Even with mitkistakes . 50+ recipients . 11 infected computers . Malicious payload . Attachment . Weblink Code Analysis . establishes a Command‐and‐Control channel to a compromised website programed to: . receive new instructions . download additional malware components . upload stolen information . Identified a new compromised website . The obbivious response was to bloc k the webbisite; iiffineffective wiihth URL filter ing . Further packet examination identified two characteristics that did not vary . User Agent String – component that a web browser uses to impart basic information to a web server about itself . Random characters inside an HTML comment tag shown as, “dWdzMTI”, DddDecoded to “ugs 12“ = “ug” unknown , “”“s” sleep, 12 hours. . Configured our IPS to alert / block any traffic that included the user agent string Another Attack

.2012 . Targeted attacks continue . Yahoo account created using an executives name First.Last.Yahoo.com . 9 recipients, all VPs . 1 infected computer Suspect Email China’s Uh‐Oh Moment

.China’ s CyberWar effort, “Control without Bloodshed” http://appleinsider.com. Types of Cyber Attacks

Bring Your Own Device to Work Challenges . Mobile devices are the newest target of cyber attack from malicious actors. . Mobile devices (phones, pads, etc.) are computers with the ability to store vast amounts of data. . These devices can and are connected to the corporate network and can be used as a spring‐board to compromise an organization. Recruitment Scams LEGAL LANDSCAPE US Legal Landscape . Proposed Legislation: . CISPA (Cyber Intelligence Sharing and Protection Act) . Cybersecurity Act of 2012 (Senators Lieberman and Collins) . SECURE IT Act (Senator McCain) . Deter Cyber Theft Act (McCain, Rockefeller, Coburn) US Legal Landscape . What proposed legislation is trying to accomplish: . Sharing of information by government with private sector . Shar ing of ifinforma tion by pritivate sector with the government . CiCreation of security standddards . Deterrence of cyber espionage US Legal Landscape . Issues: . Liability of companies sharing information . Protection of proprietary information . Exposure of government classified sources and measures . Privacy and civil llbiberties . Mandatory vs. voluntary security standards US Legal Landscape . Executive Order: . Critical Infrastructure: systems and assets so vital to the US that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, and/or natiilonal public hhlhealth or safety. US Legal Landscape . Executive Order: . Critical Infrastructure at Greatest Risk: DHS to identify where incident could reasonably result in catastrophic regional or national effects on public health, economic security, national security; will notify entiiities and give bbiasis for determination and process to request reconsideration. US Legal Landscape . Executive Order: . Framework: DHS (not NSA) to instruct NIST to develop voluntary framework to reduce cyber risks to critical infrastructure; technology neutral standards, methodologies, procedures; and agencies to establis h iiincentives to participate. US Legal Landscape . Executive Order: . Government‐to‐private sharing: the AG, DHS, & Dir. of Nat’l Intelligence to issue instructions to ensure prodtiduction of uncllifidassified reports of cyberthreats identifyyging specific targeted entity; will address need to protect intelligence sources and methods. US Legal Landscape . Executive Order: . Expand clearances: DHS and DOD to establish procedures to expand Enhanced CbCybersecur ity SSiervices program to all critica l infrastructure sectors. DHS to expedite

processing of security clearances. US Legal Landscape

. Executive Order: . Privacy / Civil Liberties: Agencies’ senior privacy officials to ensure privacy and civil libert ies protections are idincorporated into activities based on FIPPS and policies that apply to agencies; annual publicly available report by CPO of DHS. US Legal Landscape . Executive Order: . Liability: Not addressed.

. FOIA: Not addressed.

. Private‐to‐private and Private‐to‐government sharing: Not addressed. US Legal Landscape .Existing Security and Incident Response Obligations: . State security breach notice laws . Sector specific government efforts . NIST 800‐53 update . HIPAA / HITECH . SEC Guidance on Cybersecurity Risks . PCI Data Security Standards . GLBA / Safeguards Rule / Interagency Guidance . Red Flags EU Legal Landscape

.Telecom Reform of 2009 (Article 13a) – obligation to report significant security breaches; adopt security measures.

.e‐Privacy Directive – personal data breach notice; obligation to secure services.

.Data Protection Reform – breach notice and security measures. EU Legal Landscape . Cyyybersecurity Strategy:

. Aimed at harmonizing national authorities of EU member states to improve cyber resilience and reduce while advancing cyberdefense policy. EU Legal Landscape . Cyyybersecurity Strategy – 5 priorities:

. Achieving cyber resilience

. Drastically reducing cybercrime

. Developing cyberdefense policy

. DliDeveloping idindustr ilial and techhinica l resources

. Establishing coherent int’ l cyberspace policy EU Legal Landscape .Directive on Network and Information Security: . Applies to all “market operators”: . “Information society service” providers, including e‐commerce platforms, Internet payment gateways, social networks, search engines, cloud services, and application stores. . Operators of critical infrastructure in energy, transport, banking, stock exchanges, and health.

. Does not apply to entities already covered by Article 13a. EU Legal Landscape .Directive on Network and Information Security: . Member States to create competent authorities; Computer Emergency Response Teams; and strategies and cooperation plans.

. Authorities to cooperate enabling effective coordination of ifinfo exchange, dtdetec tion, and response to iidtincidents.

. Private market operators to adopt appro priate security measures and mandatory reporting of incidents that have “i“sign ifican t itimpact on core servi”ices.” HARDENING THE CORPORATION Hardening Soft Targets

Policies, Procedures, Training & Awareness Physical Security External Perimeter Internal Network Servers, Desktops, Laptops & Mobile Applications Information & Data Hardening the Corporation . Risked‐based gap analysis of technical, physical, and organizational measures . Vulnerability assessments (internal and third party)

. Vendor audits / vendor contracts

. TiTrain / hire appropriitate personnel

. Identify and develop relationship with law enforcement / regulators

. Participate in standard setting process

. RiReview insurance coverage

. Communications strategy Hardening the Corporation

Cyber Security Hardening Recommendations . Protecting the corporation from cyber risk has become increasingly complex for an organization to manage in a timely fashion. . The complexity of networks and lack of security framework in corporations provide an easy access for cyber theft of data. . Yet, there is still much that a corporation can do to protect its information. Hardening the Corporation

Reconnaissance and Identification

Scanning Control and Evaluation Discovery

A Vulnerability Assessment can Documentation be used to Identify Risk Report

Post Exploitation and Exploitation Compromise

A breach through testing is better than an Escalation of unexpected one by adversaries. Privileges Hardening the Corporation

Patch and Configuration Management . Patch and configuration management is one of the most underappreciated facets of information security. . Proper patch management can provide a significant reduction in a corporations risk profile by eliminating known vulnerabilities to the organization. . A process driven configuration management should be established and adhered to in strict fashion to reduce risk. Hardening the Corporation Restriction of System Administrator Accounts . Corporations that do not manage the Administrator accounts within their environment are exposing their information to extensive risk of exploitation. . Restricting the number and role of System Administrator accounts is critical. . The first, second, and third goal of each and every cyber attack is to acquire System Administrator account access to systems. . System Administrator account access provides a malicious actor with the keys to the kingdom. Hardening the Corporation

Limitations on Web Email . Web based email (Yahoo, Gmail, etc.) can provide an entry point for malicious software that are not protected by corporate security systems. . Web based email should be disabled and not permitted on corporate systems. . Employees that require access to web based email should get access from network services that are not connected to the corporate network. Social Networking Services

. Facebook, LinkedIn, and Twitter . Permissible provided you … have an organizational policy . No Silver BBllullet to protect against attacks . Popular attack vector . Scams with malicious links and attachments . Tools designed to steal your profile data Social Networking Services

. How many “Friends,” “Followers,” or “Connections” do you have? . Friend requests –Beware PWN . to conquer or gain ownership . Be careful what you post . “We made it to Disney World, here I am with Goofey!” . Instagram… geo tagging Malware via USB

Beware of untrusted devices! Hardening the Corporation Can you answer these questions? Does your organization have a mature information Preparation security program?

Are the Board and C‐Level engaged and aware of Engaged the risks to the corporation and steps to mitigate?

Risk Is risk identified and mitigated in a timely fashion? Mitigation

Information Is information property classified by criticality and Protection protected based on threat?

Market Does management have a plan for the adverse Impact market impact from a breach of its information? BBdoard and C‐LlLevel IIlnvolvement are EEtilssential Responding to an Attack

. Internal investigation: . Importance of pgpreserving ppgrivilege . Engage forensic experts . Understand legal obligations like individual notice or regulator notice . Identify contractual obligations . Contact insurer Responding to an Attack . Response: . Technical response . Work with law enforcement / government agencies . Prepare and send notices . Call center / public relations . Communications Strategy . Consider identity theft protection service . Assess potential insurance claim . Hack back? . Lessons lldearned FUTURE TRENDS Future Trends

Weaponization of Cyber Space . In much the same manner of the arms race between the super powers in the later part of the 20th century, there is now a new arms race in the cyber offense arena. . Nation‐States are identifying and dlideveloping a capability to not only defend their infrastructure from cyber attack, but also building the capability to conduct offensive cyber operations. Future Trends

WitiWeaponization o f CbCyber Space

. The cyber weapons that have or are being developed provide the capability to destroy computing systems that power a city, provide water to a town, etc. . These weapons are becoming increasingly difficult to identify, attribute, or render safe once reldleased iitnto the “wild. ” Future Trends

Weaponization of Cyber Space . The asymmetric nature of cyber warfare allows a Nation‐State with a less capable military capacity to meet a potential adversary on a more lllevel playing field. . Cyber warfare capability can be built relatively inexpensively compared to buying tanks, fighters, etc. In Conclusion… The Problem . Cyber threat from Organized Crime and Nation State Actors . Target Profile . Types of CbCyber Attack s Legal Landscape . United States . Europe Hardening the Corporation . Cyber Security Hardening Recommendations . Corporate C‐Level and Board Engagement . Incident Response Framework Future Trends . Weaponization of Cyber Space Summary

. Cyber crime is here to stay and the threat will continue to evolve.

. No industry is safe from cyber attack.

. There are numerous actions that a corporation can take to protect their information. . Securing the organization is a much better strategy than responding to an incident.

ACT BEFORE ATTACKED Incident Response Planning Additional Material: . http://www.nytimes.com/2012/12/10/business/global/saudi‐aramco‐says‐hackers‐took‐aim‐at‐its‐ production.html?_r=0 . http://in.reuters.com/article/2013/03/29/china‐us‐hacking‐idINDEE92S01S20130329 . http://www.nytimes.com/2012/02/15/world/asia/chinese‐official‐to‐hear‐trade‐theft‐tale.html . http://www.autosavant.com/2013/03/07/intellectual‐property‐theft‐will‐impact‐chinas‐auto‐industry‐development/ . httpp//://fuelfix.com//g////blog/2013/03/25/cyberattack‐risk‐high‐of‐oil‐and‐gas‐industry/ . http://www.theeuropean‐magazine.com/381‐hammond‐joseph/848‐cyberwar‐and‐the‐oil‐industry# . http://www.nytimes.com/2013/01/31/technology/chinese‐hackers‐infiltrate‐new‐york‐times‐ computers.html?pagewanted= all&_ r=0&pagewanted=print . http://pipelineandgasjournal.com/next‐generation‐cyber‐attacks‐target‐oil‐and‐gas‐scada?page=show . http://www.abajournal.com/news/article/law_firms_offer_cybersecurity_advice_and_attorney‐ clien t_pr iv ilege_ to_ hac ke / . http://money.cnn.com/2012/09/17/technology/smartphone‐cyberattack/index.html . http://money.cnn.com/2013/02/06/technology/federal‐reserve‐hack/index.html . http://www.securityweek.com/ics‐cert‐warns‐mitsubishi‐mx‐scada‐vulnerability