Travelers Cyber Academy^® - Cybersecurity Training Videos and Resource

[Music] in the early days of the internet many regarded the new digital frontier as a Wild West that was largely unknown and mostly unregulated although much has changed the internet still has its digital bounty hunters hackers who spend their days trying to protect businesses from nefarious bugs and vulnerabilities you will hear about these modern day vigilantes in today's session of the traveller cyber academy cybersecurity wearing the white hat any company that has an internet presence can potentially be a target for hackers that may sound scary but some hackers have good intentions and are actually trying to help improve the security of the Internet the first step for companies that want to take advantage of these white hat hackers is to establish a responsible disclosure program also known as a vulnerability disclosure program we will cover those programs in the first part of today's session of the traveler cyber academy for companies that want to go a step further bug bounty programs create incentives that can encourage white hat hackers and security researchers to focus on finding vulnerabilities in a company's most valuable assets bug bounties will be covered in the second part of today's session of the traveler cyber academy to many people in the cybersecurity industry being a hacker is not necessarily a bad thing a hacker is just somebody with expertise in computers and other technology in general such as cell phones or Internet of Things devices hackers like to test limits and to look for unexpected ways to do cool and interesting things well there are certainly hackers who use their skills for nefarious purposes and illegal financial gains there are also hackers whose first inclination on finding a vulnerability would be to report it so that it can be fixed according to a recent report by hacker one a company that works with white hat hackers and security researchers most of its 300,000 hackers are based overseas about one in four of them are currently students and more than half of them are 24 years old or younger for most of these hackers hacking is not a full-time job it is something they do on the side to learn about things that interest them and maybe earn a bounty or two along the way so what happens when a white hat hacker finds a vulnerability and a company's network or website in many cases they will try to contact the company by phone or by email unfortunately many recipients of an email like this would not know what to do they might delete the email or even report it to law enforcement authorities company's employees usually don't know what to do if there is no process in place for handling an unsolicited Vanar ability report from an unknown third party for this reason government agencies such as the Federal Trade Commission have recommended that companies have an effective process in place to receive and address security vulnerability reports in fact companies have been charged with violating the FTC act based in part on not having such processes in place that is for a failure to maintain an adequate process for receiving and addressing security vulnerability reports from security researchers and academics government agencies have started to address this issue by establishing responsible disclosure programs themselves and by providing written guidance to companies on how to set up responsible disclosure programs including the u.s. department of defense the US Department of Justice the General Services Administration and others the purpose of these responsible disclosure programs is to provide a channel for security researchers and other white hat hackers to communicate information about security flaws thereby helping companies keep private and sensitive information both confidential and safe as the US Department of Defense States and its responsible disclosure policy the security researcher community regularly makes valuable contributions to the security of organizations and the broader Internet fostering a relationship with that community can help organizations improve their own cybersecurity five principal elements of a responsible disclosure policy scope here the organization specifies what systems and applications can be tested and which are off limits the scope can be narrow for example identifying one or two specific systems or it can be quite broad the u.s. department of defense for example invites hackers to test any public facing website owned operated or controlled by DoD including web applications hosted on those sites the organization can also provide guidelines to hackers on what types of attacks are acceptable and set limits on how far phoner ability should be tested next the authorization or safe harbor provision states that an organization will not take legal action against researchers or hackers who comply with the policy the policy should also specify how researchers and hackers can report vulnerabilities to the organization and what information should be included finally the coordination provision specifies how the organization will handle reported vulnerabilities including whether and when the vulnerability will be made public this last provision is an important part of responsible disclosure policy because many security researchers and hackers will choose to go public if the affected organization does not appear to be taking steps to address the vulnerability in a timely and responsible way so there are two types of hackers out there there are friendly hackers that want to help you and there are cyber criminals and if you don't have a process for the friendly hackers to contact you the only ones that are coming after you are the criminals in my opinion like any any company that exists on the Internet and has something on the web needs have a responsibility or policy because it means that once you're connected to the web in however way there is a chance that someone like a customer of yours or an external security researcher that might stumble upon a vulnerability and if it's unknown how to contact that company on to report the vulnerability then the security researcher might not know what to do so they might not tell you about it or they might try alternative methods to get into contact before I found the hacker one I was a hacker myself which means that I found lots of vulnerabilities typically in products and services and software that I was using myself and it was very hard to tell companies about those vulnerabilities so it's kind of like always led to this frustration of hey there's software I'm using and I depend on my personal informations in the system but it has vulnerabilities and somehow I can't contact the company to report the security vulnerability to them you could try to email their customer support team or you could try to call their customer support phone number typically it's not the right place for a vulnerability tool and since the customer support team typically is not equipped to technically understand the security vulnerability so it's really again really important for those companies to set up a process for taking in the security vulnerabilities from possible outside security researchers the hackers the participant in black valley platforms are very just normal human beings they they don't look like anything that you see in the Hollywood movies where they type really fast on computers and have text flying off the screen they're just normal hackers and they look like anyone else that can work with the computer it's really a global community with where with hackers from all different ages there are hackers that are still in high school and we have hackers that are academics we have actors that have professional jobs at large companies and they kind of do this hacking thing on the side the big motivation for a hacker is typically just an intellectual challenge of trying to break something so hackers are naturally very curious and they're also very creative so it is kind of like an art of trying to find your way around some kind of assist some kind of protection that someone puts in front of you so you're trying to think about the different way of bypassing a security limitation or the commonalities between a cyber criminal and a and a white hat hacker is that they have a similar skill like they know how to great of Li overcome a limitation that is put in front of that so I kept trying to break into a system they both have the same skill of breaking into the system the difference is what you actually do with the information where a cyber criminal would take the information and maybe sell it somewhere else the white hat hacker would actually report the vulnerability to the company that has the vulnerability and get it resolved the work hacker is it has a very broad definition but in my expertise I'd like to focus on application security so I'd like to focus on trying to break into typically web applications a little bit of mobile applications as well but it's my most of my time is spent on on web applications there are hackers that focus on very different aspects of software like they could focus on the network infrastructure behind it they could focus on the cloud infrastructure behind it there are hackers that focus on hardware they like to take Hardware apart and actually tinker with the hardware itself and reverse-engineer how the system was built so there's lots of different expertise of where hackers would like to invest it so the first thing I look at when deciding what company to hack on is does the application or does the software they offer does that interest me so like for me personally I like to focus on applications that have some kind of like regulation or compliance that they have to stay within sometimes the the biggest vulnerabilities that are hackers find sometimes the most interesting ones are those that have kind of like a physical nature like we've had hackers that find vulnerabilities that impact something in the physical world like you could think about like opening or closing a bridge those of course are like really cool vulnerabilities but it's typically not like the the most critical one even though it sounds really cool it's probably something from the movies most critical vulnerabilities are typically those that expose like large amounts of user information because that's that we're living in a in the era of like mega data breaches where like peoples information is sold and finding vulnerabilities that expose like large amounts of financial information or health information from people those tend to be the most critical vulnerabilities that are hackers fight [Music] so the first step a hacker typically takes in their process after they've decided who they're gonna target is they'll deliver constants and a large part of the reconnaissance is simply just googling like googling the company name googling kind of the domain names the company might own maybe some important executives or people that work there they might just google those names to kind of see what they come back with like what the kind of systems are they using what are they writing about themselves are they on social media writing about the company there so those could be interesting pieces of information that help a hacker better understand the target and that's typically step one and step two would be to look at the application that they might target so if there's an application offered what does that application do and I personally then try to understand or kind of get an idea for what the software does on the back end of course the back end is invisible it's not something you can touch or see so you have to kind of guess and just come up with a theory of like what if it worked this way and if it worked that way how would I go around that and then it's just many many different tries you try many different theories and you kind of touch in the dark for a long time until you get some signal back that you're on the right track and then you might continue to invest your time there and potentially stumble upon a vulnerability so the most important tool a hacker used it hacker can use is their own curiosity like if you're not naturally curious as a hacker it's gonna be very tough to try to break into something because you need that curiosity by establishing a responsible disclosure policy businesses can ensure that hackers and security researchers know how to report a vulnerability if a vulnerability is found many businesses however try to be more proactive and want to actively encourage white hat hackers to test their defenses one way to do so is to offer an incentive or a bug bounty for hackers who find and report a vulnerability after all it's a given that cyber criminals are out there looking for vulnerabilities establishing a bug bounty program gives white hat hackers incentive to find those vulnerabilities before the criminals can most companies that want to offer bug bounties we use a commercial bug bounty platform that connects them to an existing vetted community of hackers and security researchers the first step is for the company to define the scope of the program that is what systems or applications the company wants to have tested the company can also define the conditions of payment that is what information hacker needs to provide about a vulnerability and how the value of each vulnerability will be determined more on that later second hackers and security researchers are invited to begin testing this can be an open invitation to all hackers on a platform or if particularly sensitive systems are being tested the invitation can be limited to hackers who have gone through a more rigorous screening process most bug bounty platforms also help companies to screen or validate reported vulnerabilities this will reduce the number of false positives that the company needs to deal with vulnerabilities that are validated by the bug bounty platform are then reported to the company which is responsible for remediating the vulnerability and the hacker is paid a bounty according to the term set up by the bug bounty program one significant advantage of a formal bug bounty program is that in many cases it can allow company to learn about and fix vulnerabilities without those vulnerabilities ever being made public so how much is a bug worth the amount paid by companies for a disclosed vulnerability can vary considerably from thousands of dollars up to a six-figure payout the bounty paid will most often depend on how critical the vulnerability is but other factors can include the number of systems affected and whether the systems affected are still being tested or have already been deployed in one will publicized bug bounty program hack the Pentagon the US Department of Defense paid approximately a hundred and fifty thousand dollars to identify 138 legitimate and unique vulnerabilities averaging just under $1,100 per vulnerability according to the DoD hiring an outside contractor to conduct similar testing could have cost the department more than a million dollars interestingly not all bug bounties are paid in cash at least one airline for example has awarded frequent flyer mileage to white hat hackers for finding new vulnerabilities at Jaco NBC clients from all kinds of company sizes from very large enterprises to very small businesses for a lot of small and medium-sized companies you don't have the luxury to have like a large security team with hundreds of security experts on the team that actively defend against effects and tests for security issues all day so really what helps is and listing this help from a large global hacker community that has the expertise and can help find vulnerabilities and defend against potential threats so sometimes we get the question of whether or not launching a bug bounty program kind of like invite cyber criminals to target you and I really see that kind of as a non-issue because when you connect yourself to the Internet you already open yourself to cyber criminals but you don't necessarily open yourself to friendly security researchers and friendly hackers that want to submit vulnerabilities because they are waiting for the invitation [Music] so in order to get paid on the platform we need to collect the information about the individuals about who they are where they live for their name is and all those types of information on top of that we also provide extra bedding for more sensitive projects like there are bug bounty programs that run on very sensitive computer systems and typically we perform extra vetting on top of that things like background checking and clearances that we that we check we typically recommend that more for systems that need to be tested that aren't publicly available so anything that is just publicly accessible over the internet that anyone can access regardless we juice we just use our reputation system as the form of vetting and then when the systems get a little bit more sensitive like it isn't public internet it's more like an internal system that's when we send in hackers that have undergone background checks and extra vet the hackers are paid based on the severity of the vulnerability and each program can set the the payout they give for critical vulnerability or highest severity vulnerability or medium severity vulnerability then kind of set the the range of payouts they want and with each level of payout you attract a different kind of hacker we've seen programs that pay for instance up to $1500 or critical we've also seen programs that they up to two hundred fifty thousand for a critical vulnerability criticality of a vulnerability or the severity of the vulnerability is typically decided by some kind of severity scoring mechanism so at hacker Wan we typically recommend those that don't have a system yet to use cbss which stands for common vulnerability scoring system and that kind of is like a standard for how you define the severity of a vulnerability based on a few attributes of how easy it is to find what the impact is of exploiting it the business potential business impact is and some severity rating will roll out of that for instance it could be a higher severity and from that you can derive a bounty payment and the size of the bounty then is kind of up to the company to decide what they want to pay for each level of severe we typically recommend that if you don't have a formal bug bounty program they don't do those ad hoc or one-off payments it's better to to think through setting up a formal program them to do one-off rewards that you don't really know how it's going to end up in the formal process you kind of define the rules of engagement like what are the limitations of where a researcher can test what is the scope of what are the things that are outside of the scope and if you don't have a process like that yet paying a one-off like paying for one vulnerability might invite additional testing and if there's not that process and the rules aren't set up it's hard to control where the testing will go when it will stop or offer if it goes within or without the scope [Music] you know but we see most as a source of potential vulnerabilities is the use of third-party software that many small and medium businesses kind of depend on to run their business but miss configuring it so they might integrate it into their own systems and it might be sending information and personal information about their business about their customers back and forth between those third parties and if there's some kind of miss configuration there it could lead to leaking that information in some way and typically the most valuable information that can be leaked with something like PII personally identifiable information or financial information or health records it's of course important for companies to have a like have good security health and implement all the normal best practices and if you're if you need to be PCI compliant follow everything that PCI prescribes you have to do in terms of security kind of those things like you need to have that in place at a at a minimum do in order to have just general good security hygiene but it's never enough to just be compliant with a security standard or to just follow the backs best practices the number one step I would recommend everyone is to at least have some kind of responsibility OSHA policy in place because there are people out there that might have information about vulnerabilities and if there's a easy way for them to tell you about it then you can act on those vulnerabilities before they can be exploited and lead to a potential data breach in some respects book bounty programs are similar to third party penetration testing many organizations would mature cybersecurity programs will do both unlike penetration testing which requires an upfront payment bug bounty programs are paid for performance a bounty will be paid only if a vulnerability is found another difference is that penetration testing is usually conducted by a small team of security professionals whereas a bug bounty program can be used to pull in hundreds of hackers of potentially more diverse skills and more creative ways of attacking on the other hand penetration testing can be used for evaluating both externally visible and internal only systems whereas bug bounty programs are best suited for externally visible systems it is possible for a bug bounty program to be used on an internal system but there can be more work involved in setting that up finally the penetration test should result in a written report which may be required for regulatory compliance the same is not generally true of a bug bounty program both vulnerability disclosure programs and bug bounty programs are important tools that businesses should consider when structuring their cybersecurity programs hopefully most businesses already recognize that no matter how diligent or careful they are vulnerabilities can exist in their network systems and applications a bug bounty program can help businesses identify these vulnerabilities more proactively once found it is important for businesses to address vulnerabilities effectively meaning patch in a timely fashion across the entire organization to do that businesses need a strong vulnerability management program finally to protect against vulnerabilities that are missed or that are not patched before they are exploited companies should consider obtaining cyber insurance as part of any risk management program thank you very much for your time today we hope you enjoyed this session of the travelers cyber Academy on cybersecurity wearing the white hat if you have any further questions please contact us at trv cyber at EMS dot travelers comm or for a replay of this session to share with your colleagues and find additional resources on this topic please visit travellers comm forward slash cyber  

[Music] welcome to today's session of the travelers cyber Academy understanding cyber risk in the cloud according to a recent report approximately 96% of today's businesses are using a cloud computing service in one form or another it is important for businesses to understand the benefits of migrating to the cloud as well as the potential risks involved and the steps that they can take to mitigate those risks we will start by reviewing different types of cloud services which are often grouped into three categories software as a service platform as a service in infrastructure as a service taken as a whole these services allow businesses to move software applications and other information technology assets from the business premise sometimes referred to as on-prem to a third-party service provider while there are benefits to doing so of course there are also risks we will hear about those risks from anchor chef of the Ankara Consulting Group formerly Navigant and Keith Novak of Crowell will also describe best practices for how businesses can help protect against those risks in some ways cloud computing is simply the next evolutionary step in how businesses rely on third-party service providers to meet their IT needs many businesses for example have long relied on web hosting companies DOS internet websites or on third-party data centers to provide and manage servers backup facilities and other IT infrastructure what's new about the cloud is the breadth and variety of services that are available and the incredible ease with which businesses can access them - software-as-a-service or SAS there is almost no category of traditional on-premises business software that does not have a cloud-based version from email word processing and spreadsheets to HR CRM and erm businesses can choose from ready to use cloud-based solutions that do not require installation and maintenance like traditional on-prem software tools for businesses that are developing software applications whether customer facing or strictly for internal use platform as a service offerings or PA's provide an easy way to jumpstart the development process these services provide ready access to the essential building blocks that businesses need to build new applications whether those applications rely on databases and other familiar technologies or an more novel technologies such as machine learning finally infrastructure as a service or I as provides a way for businesses to establish or expand computing resources on the fly and on demand for example a business that needs to improve its backup and disaster recovery capabilities could turn to an infrastructure as a service provider for a cloud-based solution that is quick and effective one that does not require a large initial investment in backup software and hardware storage capacity obviously there are many advantages to moving to the cloud whether our business is looking for a ready-made SAS solution or to develop a custom app on a pass platform or to move an existing system to an I as provider the cloud can offer the right level of service and thereby allow for faster implementation cloud-based services are also generally less expensive than their on-prem counterparts both in terms of upfront costs and maintenance they also provide for greater scalability since it is usually easy for businesses to add additional computing power and resources as needed on demand finally the flexibility and ease of using cloud-based services can contribute both to a business's increased innovation and higher productivity surprising therefore that 96% of all businesses report using one or more cloud services in fact businesses report using nearly five cloud services on average which includes a combination of both public and private clouds in public clouds the computing resources used to provide the cloud services are shared although of course each business's data and activities are kept separate and private even on a public cloud when a business uses a private cloud it is allocated dedicated computing resources by the cloud service provider creating an extra level of security security of data in the cloud is understandably a concern to many businesses and choosing appropriately between public and private cloud services is one way that businesses can address that concern I think every company nowadays has some component in the cloud I can't personally think of a major business function out there that does not have a variant of a cloud provider out there obviously there's lots of on-premise solutions that's what's been the traditional way I'll give you a couple examples I think workday for HR is probably the big one right now right a lot of people use sa P Oracle some of the traditional solutions and many are using workday now which is fully a SAS model to manage all their HR functions and that could include more than just managing of the employees and full-time people but also includes payroll and other HR components we talked about Salesforce for CRM and and client management so that's a big one after that we've seen as well another one that we see on the IT side of it which may make more sense for some people is ServiceNow so ServiceNow is a an IT service management tool it's probably the biggest one for from a cloud perspective right now boom so all the major functions I think I can think of off top my head to have some cloud variant and like I said more and more businesses are adopting these based on kind of what they're into individual specific recommendations and needs our companies are really thinking about what services do I put in the cloud versus which ones we still want to store internally and manage ourselves because that is ultimately our responsibility that's our data we own it and we are responsible if we lose it and that could have a lot of effects in terms of breach if you are a company obviously financial but also reputational so that's the big thing and I think the services that people are putting in the cloud are where they're really trying to identify what makes the most sense for them something like Salesforce which is an internal tool most people are moving to because there's really nothing you know that's gonna be too confidential and too cumbersome to maintain and as a great tool obviously so that's not as big of a concern when you're putting health records in the cloud that's a different issue because that has a lot of information that you may not want to be out there and or your customers may not be comfortable as well the cloud is very unforgiving when you are in a public cloud environment and your systems are potentially internet accessible some companies when determining whether they're going to use public cloud or private cloud are looking at it from the perspective a risk it's probably the one of the best ways to look at that cloud adoption a particular company that I've worked with is dealing with a lot of healthcare information and the risk associated with a data breach is very very high for them so some of the determination that's made there is moving to the private cloud because health information would be a little more tightly secured in a private environment where only they have access to it so a little bit better controls around the private cloud as opposed to the club public cloud where you're using a shared storage model and everything would be internet accessible when I say shared storage in a public cloud essentially what that means is there's a pool of storage that is shared amongst everyone so it may be one server with however much space that's divvied up between all of us so all of our data resides on that one particular server we don't all have access to each other's data there are there are restrictions I can only see my data that that I'm allowed to see however it is all shared on that one particular server the issue with shared storage really becomes this it's not necessarily that it's an issue with us both sharing the storage the problem is typically around a regulatory issue so if I'm storing sensitive data or regulated data pH I for instance in a shared environment what will happen is the service provider in the environment may back that data up may store it outside of of that particular instance they may move a to backup tape they may move it off site they may replicate that data overseas this introduces challenges from a regulatory perspective think about something like the EU GDP our regulation where I need to know where that data is being and it needs to be maintained within whatever those borders are I don't necessarily know how that shared storage is provisioned and replicated so I very little context into which how that data moves because they're essentially providing as a one for all so this is the storage you all get to use but you don't get much say in in where that data moves to or how it's stored or even access to it from a back-end perspective for many small to medium-sized businesses cloud-based services may be more secure than an on-premises counterpart for example consider a cloud-based accounting system ensuring the security of that system will probably be a very high priority for the service provider whereas most businesses cannot focus on the security of just one system no matter how critical accordingly the service provider will be able to allocate more resources and will have greater available expertise to ensure that the system is properly maintained and protected from vulnerabilities also cloud-based service providers often must meet the needs of a wide range of potential customers including customers with stringent security and auditing requirements by complying with the requirements of its strictest customers cloud service providers are often able to provide better security for all of their customers of course moving to the cloud is not a panacea and poor security practices will create problems for businesses whether on Prem or in the cloud according to a report by the cloud security Alliance the number one security issue in the cloud is familiar the risk of a data breach in most cases these data breaches are not caused by a security failure on the part of the cloud service provider but by Mis configuration or other errors when businesses move data to the cloud for example in a review of data storage buckets a one service provider it was found that unrestricted access to the data was permitted 7% of the time indeed au was not encrypted 35% of the time the cloud security Alliance also found that weak Identity and Access Management was a problem in the cloud just as it is on-premises in the cloud compromised credentials can allow criminals to steal money and data as well as computing power by putting additional servers online that are charged to the victim and used to run software for mining cryptocurrency this is a new kind of crime known as crypto jackin finally cloud services are often accessed through custom API S or application programming interfaces when those API s are poorly designed for example by allowing passwords to be sent without encryption the result will be a system with compromised security take a look now at a significant new threat the businesses should be aware of when migrating to the cloud start with company a the company that still relies on traditional on-premise servers for its email and HR and payroll systems for a hacker to get access to those systems the hacker must get access to company a's network which will hopefully be protected by firewalls antivirus and other similar security controls company b however has migrated its email and HR systems to the cloud this reduces the burden on company B's IT department which no longer has responsibility for patching and maintaining those systems it is also a convenience for company B's employees who can read and respond to emails from anywhere unfortunately that also means that attackers can try to access those systems from anywhere using guest or stolen passwords in fact there are enormous archives of stolen usernames and passwords available on the Internet and hackers can run those archives against the cloud service until they find one that works this new form of attack is known as credential stuffing also as businesses add more cloud services many employees we use the same password on different systems this can cause a business to suffer significant financial losses when an employee's email password is compromised perhaps through phishing and the same compromised password is then used for example to access the HR system and to redirect the employees paycheck even more damage could be caused if the attacker is able to get access to a customer database medical records or even an Accounts Payable system fortunately these types of attacks can largely be thwarted by turning on multi-factor authentication a security control that is available with many cloud services multi-factor authentication which is sometimes referred to as two-factor authentication means using two or more means of authentication instead of relying simply on a password a password is something you know other forms of authentication include something you have such as a hardware token or a mobile device that can be used to receive a text message and something you are such as a fingerprint or retina scanner cloud will expose every vulnerability in your information security program and by that I mean if you have a weakness and technical controls something such as multi-factor authentication we commonly use multi-factor authentication today for for banking essentially you get a token on a phone so you put in your username and password you get a Chokin on a phone that's actually a very good control many companies still have not adopted that today so what's happening now is they haven't adopted that for their on-premise systems and now they begin adopting cloud well they don't think to enable that service and the cloud because they're not currently using it in-house that's a weakness of vulnerability not doing that in the cloud opens yourself up to a lot of risk so every little weakness technical controls process processes another great one so one of the most critical and basic functions of IT is essentially to provision a user account add a new user to give them access to a service the very opposite of that is to D provision a user and take away that access so think about this on premise I can simply remove their user account and they no longer have access it's not publicly accessible it's only private within my private network the problem with cloud is if I don't deeper vision that user force a email that happens to be residing in the cloud well guess what they still have access to all of that data that they had in the cloud now that could be a file share that could be email that could be collaboration tools and so all of those little weaknesses to your program ultimately are very exposed once you start to adopt a cloud you need to have a good strategy in place good technical controls a very mature information security program before you start to move into cloud services cloud in karo we we have a large Incident Response Team and we deal with around a hundred breaches a month so 1,200 a year as our current pace and I think we see kind of three big areas that come out of these incidents once we do the analysis and investigation so one which I think people are very knowledgeable about as data exfiltration pulling out confidential data whether that's credit card information healthcare information Social Security numbers etc the second one I would think is payment that version so payment diversion can mean two things it could be or can be multiple things but the two big ones we see is invoice side version so when you are paying a vendor or paying a supplier they will divert that invoice so that they get paid and change a banking account information on there so that the hacker or whatever organization is will then take that money and then leave with that the other side of it is employee payroll diversion so someone can login to your cloud-based payroll system and change the direct deposit number of the bank so I think the third one we've seen is really utilization of compute resources so as the hacker gets into your environment in the cloud they can plant software on the new cryptocurrency data mining right and really that may not be as big a deal for for servers that are up and running that are already utilizing some power to do specific activities but really in the cloud they have the ability to spin up new servers so if we think about infrastructure as a service as we talked about earlier they can spin up new infrastructure to do just a mining and that in the end is a true bottom-line cost to your organization whatever that may be and they can spin up hundreds and thousands without potentially not that many without you noticing but they will spin up additional ones and that overtime will have a bottom line effect on your organization one of the problems we're seeing when we do a risk assessment is shadow IT essentially what we're finding is departments who are adopting the cloud on their own with very little direction from the organization file-sharing is a great example they may sign up for a file sharing service and start to share or store confidential information whether it be intellectual property whether it be regulated information so protected health information is a great example they begin to to store and share that information using cloud-based file share services the organization has no idea they have an implemented technical trolls because essentially the department is trying to go on about their business but haven't really put a strategy behind that particular service businesses that are moving to the cloud need to understand that security is a shared responsibility it is sometimes said that cloud service providers are responsible for the security of the cloud while cloud customers are responsible for security in the cloud what this means exactly will depend on the type of cloud service involved for example when a business is using cloud-based servers to run applications in its own environment in other words using infrastructure as a service the business will probably be responsible for maintaining the applications and backing up its own data on the other hand businesses using applications under the software as a service model will probably expect those responsibilities to be handled primarily by the service provider either way it is critically important for businesses to understand what responsibilities they have when it comes to the security of cloud services as well as the built-in security tools and features that may be available to them such as encryption data loss prevention and multi-factor authentication in addition businesses that are using multiple clouds or operating a hybrid environment which some users are on Prem and others are in the cloud may want to consider using a cloud access security broker Lacaze be the Casbah can be used to support single sign-on capabilities across multiple cloud or on-premise systems while enforcing strong access controls even for services that do not have them built in Casspi can also provide greater visibility into how cloud services are being used particularly when it comes to remote users who would otherwise be outside the purview of on-premise security systems finally the Casbah can support additional security controls such as encryption or data loss prevention if those controls are not available for a given cloud service in general businesses that are moving to the cloud should start by developing a cloud strategy this can help avoid the problem of shadow IT in which different departments start using cloud services on an ad-hoc basis without the knowledge or involvement of the businesses IT department businesses also need to extend their awareness and insight beyond third-party vendor management to fourth party risk and beyond if a third party vendor is storing or processing the business's sensitive data using a cloud service that is a fourth party risk that the business should be aware of as discussed earlier businesses also need to understand their security responsibilities in the cloud and to properly configure cloud services and security features such as access controls encryption and logging finally as with any other part of their IT infrastructure businesses should regularly test and audit their cloud services and cloud configurations to avoid any unexpected surprises fortunately for businesses that have cyber insurance many kinds of cloud-based losses may already be covered cyber insurance will often cover the costs of investigation and remediation after a data breach for example and for data breach notification whether the data is lost from an on-prem system or cloud-based service cyber insurance is also available for lost income that a business may experience if a service provider such as a cloud provider is compromised this is sometimes known as contingent business interruption coverage finally insurance coverage for legal defense and liability after a data breach as well as regulatory defense generally does not depend on whether the breach occurred on Prem or in the cloud security in the cloud is a shared responsibility between the service provider as well as the organization that is buying the services so a good analogy this is building a new house you're gonna hire a contractor to build a house and as part of that you're gonna have them install a state-of-the-art security system locks on doors locks on windows and all the general security measures that are part of a house but what happens is once you move in if you don't actually utilize those controls then that response will be Falls to you you need to lock your doors you need to put a alarm code that's not the base code of zero zero zero and put in something more comprehensive it's your job to actually utilize the controls that are available to make sure that your house is actually secure when you're gone and it's the same thing with software you have to utilize the controls that a service provider gives you if you don't utilize those controls it's just as much on your head as it is on that one of the fundamental things that we do here our crawl when we're doing a risk assessment and we've identified a cloud adoption by an organization is we start to do an application inventory and really understand what have they already adopted and ensuring that the organization is looking at it from a compliance perspective and not the technical controls are in place and if they aren't identifying those vulnerabilities and getting them to remediate whatever that may be so some companies are not even aware that you can add on additional service in services into services that the provider already gives you and I'll give you an example here's maybe something around idea of data loss prevention so DLP so data loss prevention concept is stopping data from leaving the network that is not supposed to leave the network and that's used and that's built off policies and algorithms that you build into a tool to recognize patterns so an example is you may not allow employees to send out Excel files as a very basic example so it's looking for a dot XLS extension and it will block anything that does that some security providers that are out there that do DLP may not have as sophisticated controls available they may only be able to operate at the very basic level of file extensions and may not by we do advanced algorithms and monitoring data that's leaving a network so that's an example where a provider will have a capability in that functional realm but it may not be adequate enough for what you are trying to do as an organization the problem is when you start to adopt the cloud there is really a skill set it's learning for those IT team members and one gap that we consistently see from a lot of organization is they just don't give their IT teams the training that they need and cloud is a very specialized form of storage one Mis configuration and you're opening yourself up to a breach so making sure that your IT staff understand what they're getting into is really really important something like an AWS Amazon Web Services where you're using infrastructure as a service they're things called virtual private systems there are firewalls there all of the on-premise controls are now available in AWS but they call them something completely different and you really need to understand not only the terminology but the capabilities so ensuring that those people who you are trusting to do those configurations know what they're doing is about most importance another thing to consider when migrating to the cloud is potentially using a cloud access security broker or commonly referred to as a Kaz B ACK as B is essentially another appliance that you can use that sits between your company's network and the cloud provider and essentially what it's it's job is to enforce policies and check transmission of data that leaves your network that's going to your cloud providers and this can be set up for multiple cloud providers not just one companies need to realize that depending on the service that you are adopting software is a service platform as a service infrastructure as a service your backup and disaster recovery needs are not necessarily just met because you've adopted the cloud they're very nuanced software as a service for instance they guarantee that the data your storing there will stay there and it will be replicated and always available to you they won't necessarily have a snapshot of that data from from a month ago or a year ago if you delete it it's essentially gone if you talk about platform-as-a-service and infrastructure as a service it's really up to you to determine what level of backups do you need so you may need the capability to go back three months so that's not natively offered that's something that you need to make sure that you have a contractual relationship with for that that data from an incident response perspective having a cloud provider doesn't change your overall plan the the indication is that you know every organization should have an incident response plan and instant response notification plan and should have an idea of how to handle the organization and all the underlying components when an incident happens so when you are doing with an incident response you're going to be working with hopefully your cyber risk insurance provider they will help bring in the right people to actually resolve the incident and that could be a variety of people including not just lawyers but also the right teams to pull the right information you may need from both either on-premise products as well as your cloud products every cloud service has a little bit different logging it's a little bit different controls so when you look for a forensics firm who can do those cloud forensics they really need to understand what the capabilities are office 365 is a great example there are a lot of logs but you really need to understand you can't just download you know thousands of logs and and automatically pick out hey here's what happened it takes a lot of skill a lot of knowledge in many cases in our case we've created customized tools where essentially those logs will come down in in a a bulk capacity and we've actually created a tool where we can really understand at a very granular level what did an attacker do what searches did they create they create an out-of-office rule and that really helps when you're to do response so it is absolutely essential that you work with a firm who understands what capabilities those cloud services provide moving to the cloud can offer significant advantages to businesses including easy access to the latest technologies with low upfront costs however businesses should understand the risks involved and be prepared to mitigate those risks including by defining a coherent cloud strategy prioritizing security in the cloud and monitoring cloud usage and activity finally businesses should consider obtaining insurance to protect against cyber risk both on Prem and in the cloud thank you very much for your time today we hope you enjoyed this session of the travelers cyber Academy on understanding cyber risk in the cloud if you have any further questions please contact us at trv cyber at EMS travelers comm or for a replay of this session to share with your colleagues and find additional resources on this topic please visit travellers comm forward slash cyber advantage you  

[Music]

in today's session of the travelers cyber Academy we will be covering a range of services that companies can use to understand and improve their cybersecurity posture these services include risk assessments penetration testing compliance assessments and others first we will talk about risk assessments some companies are subject to laws or business obligations that require regular risk assessments such as the payment card industry data security standard can companies not subject to those requirements still benefit from risk assessments and why we will also cover penetration tests also known as pen tests and vulnerability scanning and vulnerability assessments what exactly are these services and which will be most beneficial to a company finally many companies are subject to regulations or required by business partners to meet minimum standards of cybersecurity what services are available to these companies to help ensure compliance and avoid costly fees or penalties businesses spend huge amounts of money every year to protect their valuable networks systems and data in that amount is expected to grow to more than 100 billion dollars by 2020 the significant portion of that money is spent on cybersecurity services up to 45% according to one source what are all these services and which ones should a company be using in general companies should start with a risk assessment and that is where we will begin as well we will then discuss services such as vulnerability scanning vulnerability assessments and pen testing all of which can help a company evaluate its cybersecurity maturity finally it will cover tabletop exercises and compliance assessments which can also be important elements of a company's cybersecurity program regulators and cybersecurity professionals have long recognized that risk assessments are an important component a strong cybersecurity program as of 2002 for example companies regulated under gramm-leach-bliley were required to identify reasonably foreseeable internal and external risks to the security confidentiality and integrity of customer information that could result in the unauthorized disclosure misuse alteration destruction or other compromise of such information they were also required to assess the sufficiency of any safeguards in place to control those risks the goal of conducting a risk assessment is to help businesses manage cyber risk more effectively for larger organizations it may be appropriate to conduct risk assessments that are more focused on specific operations such as the handling of payment card data or protected health information also when conducting a risk assessment or indeed any of the other services that we will discuss it is important for businesses to address any recommendations or deficiencies that are identified in order to do so it is important to have commitment from the highest levels of the organization to involve the appropriate stakeholders and to communicate effectively about the risk assessment and its results to better understand how risk assessments are conducted and how they can benefit all kinds of businesses let's turn to Robert shaker from Symantec and Craig Bray of SecureWorks 

[Music]

[Applause] 

risk assessments are really important for companies because it's it's the part that helps them focus their team's efforts on those things that are most important to protect a risk assessments are human interaction assessments this isn't something you send a piece of technology to do you have experts in risk come and take a look at your systems your policies your procedures and then they take that along with technical information that is provided to them to determine what type of risks your company may have that are in the technology field and then help you to focus recommendations on closing the biggest risks so without a risk assessment you could be off attempting to fix something you perceive as a problem unknowingly working on something of a very low priority so when you get the third-party risk assessment not only are you getting the ability to focus on things that are most important but you're also getting that third person point of view that you yourself may not have because you're working there every day [Music] it's an outside party giving you a opinion on how you're doing without the bias of your own organization so a lot of people will get risk assessments because they're required to they're their business or the people they do business with requires a risk assessment or that they meet a standard and and you know that obviously is an important part of the business but I don't think you should think of it and limit yourself to just those sorts of things I did that be a little bit like only going to a doctor when you need to go get life insurance and you've got to you know do it for that you need something you want to do on a somewhat regular basis and because it's a snapshot a point in time assessment you can't just do one and consider to be good forever you should you know you should do it maybe not annually but every couple of years you know depending on on the level of risk you're willing to take in your organization 

[Music] 

when you're preparing for a risk assessment it's very important first to make sure that you understand your environment as well as you can so having information about the assets that you have what those assets do so if I have you know these ten servers I understand the two servers process credit cards four servers process health care records and the remaining service our back-end I think it's also important that the management team understands that they need to be open-minded to the requests that will come from the Assessor you may think you're very prepared for the assessment to take place but you may find when they get there they're asking for things that you didn't think that you'd need to provide and maybe they're asking for a specific policy documentation or pritam process documentation and if you don't think that applies being open-minded and allowing them to ask for those things and then providing them will actually give you a more enriched experience at the end because you'll have stuff in the assessment those recommendations will be directly applicable to what is going on and then I think it's more important even as what you do with the results when it's done at the end of a risk assessment the deliverable from the consultant is a report a written report that report would be something that would be you would have a executive summary section that would be suitable for c-level executives of board of directors and then details therein for each section as it pertained to the standard and it would highlight where your organization met the standard and where your organization was falling short of the standard it may have some best practice suggestions in it for the the best way to meet a standard that you're currently not meeting I've never found an organization that wasn't doing some things at least very well and and it is also true that you find groups that often learn things about themselves they didn't know they learned that maybe one part of their operations isn't at all following the same firewall policy that the rest of the organization is following or or that they are not securing their laptops in the same way that the rest of the organization is doing you know these are valuable things to find in a risk assessment because you know you don't you want to find those you you don't want the bad guys to find those it's usually what you don't know that about your your the security of your organization that's going to trip you up businesses can use a variety of tools and services to identify and understand their vulnerability to cyber threats one such tool is vulnerability scanning a vulnerability scan identifies the systems and applications that are running on the network and then matches that information against a database of known vulnerabilities in order to determine what vulnerabilities could be present generally a vulnerability scan looks for vulnerabilities but it does not actually test to see if those vulnerabilities can be exploited many businesses use vulnerability scans as part of a vulnerability management program businesses need to identify and track vulnerabilities in their systems and applications in to apply patches when they become available vulnerability scans can also be used as part of a company's change control procedures the systems are updated or configurations are changed a vulnerability scan can help to ensure that no new vulnerabilities have been inadvertently introduced although vulnerability scanners will typically classify the severity of a vulnerability high medium or low for example an automated scan generally cannot account for the value of the system being evaluated or for the presence or absence of other security controls that might protect the system for example a severe vulnerability in a system that does not store access sensitive data may be less of a concern than a medium vulnerability in a system that stores financial records and is not otherwise protected a vulnerability assessment takes these broader factors into consideration and applies human expertise and judgment to determine whether a known potential vulnerability should be remedied like a risk assessment a vulnerability assessment can help a business prioritize its cyber security needs although a risk assessment usually involves a more holistic evaluation of a business's exposure to cyber risk and not just a determination of whether specific vulnerabilities are significant enough to require remediation businesses that have a reasonably mature cybersecurity program can also benefit from penetration testing in a pen test vulnerabilities are exploited in a simulated attack not just identified and categorized in many cases pen tests will focus on specific areas of a business such as its public facing web applications it is also important for the business to specify how aggressive the pen test should be for example should the simulated attack be limited to technical exploits or should the pen testers also employ social engineering techniques if the pen testers are able to get through perimeter defenses should they try to escalate privileges and move laterally within the network or stop and report what they have found the answers to these questions will depend on how mature the business's cybersecurity program is and on what the business is trying to test pen testing in particular is best employed as part of a broader cybersecurity strategy if a business does not have a cybersecurity strategy in place a pen test will likely confirm that the business is vulnerable without providing much needed guidance on how the business should protect its data and which vulnerabilities most need to be addressed when using these services it is also important for the business to work with the service provider and identifying the appropriate scope for the exercise testing and assessments should focus on protecting a business's most valuable systems and data finally businesses can often benefit from bringing in a fresh pair of eyes by changing or rotating service providers on a regular basis when it comes to penetration tests vulnerability scanning of vulnerability assessments it's important again that those are programmatic approaches not one-off events so let's let's start with say vulnerability scanning so vulnerability scanning is normally an automated methodology for looking across assets and determining if there are known existing areas that an attacker could take advantage of that that's a vulnerability when you take that to the next level you get to vulnerability assessment so vulnerability assessment is also applying the human intel intelligence to what those ratings mean pen tests are one of those things that you do once you believe you've closed most of your vulnerability z' we address the vulnerability scan and the assessment now come and check to see if we did that there's a lot of confusion I think just in general between a vulnerability assessment and a penetration test oftentimes people use those terms they use those terms interchangeably I get asked by a client about either one of those the first thing I want to do is I want to try to understand what they are trying to what their goal is at the end of at the end of the engagement what do they want to have and I'll tell you why it's important because a lot of people will say well I want the Mac Daddy most complex penetration test and what the right thing for you to do at that time is really sort of based on the maturity of your vulnerability management program if you're if you know you're you're struggling and a lot of people struggle keeping up with the patching then there's you you may be wasting your money to pay for a penetration test because in a penetration test a very skilled tester is going to find one or two vulnerabilities and exploit them to their end and you will have a very detailed written analysis of one or two vulnerabilities in your organization now that's that's good but if you've got nine other vulnerabilities your debt test isn't going to tell you anything about them 

[Music] 

there are free scanners that you can download and you can run on a server Nessus is one of them Metasploit these are these are tools that you can download you can use and you can scan and and you will get back valid results now I think as you mature your program you're going to want to spend spend the money on I'm paying for a service maybe from what we're paying for the tool from one of those same companies like paying for necess or or Qualis is a it's probably an industry leader there that because you're going to get less false positives and you're going to get more quickly updated scans so you're going to learn about new vulnerabilities or quickly and you're going to get more accuracy in the scanning the challenge with those tools is one you have to have someone who can run them so if you're trying to use them for yourself you have to have someone who knows actually what they're doing they're not so much point-and-click as this some configuration required you have to know how to configure how to set it up which exploits to go after and that's important to not only make sure you've tested all the right vulnerabilities but to also make sure you don't go after a vulnerability that will actually take the business down 

[Music] 

it's important when you're selecting the vendor to do pen tests that you have a lot of considerations I'll share several of the ones I think are important one is that they're a trusted viable company hiring someone off the internet who claims they do this and can do it automated for really low price that would scare me because you don't know ultimately who's performing that work and whether or not they're actually an attacker who's hiding is a pen tester and you're basically giving them the access that they wish they could get as easy as they could make sure their people aren't just running a tool right anybody can run a tool pen test tool comes back here as a report you want them to apply their human intelligence at the end I would make sure that my penetration tester had something from the there's there's a body of certifications called the offensive security certified professionals and and there's there's lots of sub certifications underneath that body like one for specifically websites and another one for for for phishing and things like that but I would I would make sure that they had resources that had those sorts of certifications sans is another organization that has advanced pen testing certifications one thing I know it's secure works it's really important to us you know we certainly hire people who have those certifications but we also want to make sure that their backgrounds are is if we're going to hire somebody to do penetration testing on a website we'd like to hire somebody who began their career as a web developer and so they've got some of those baseline skills and an understanding of how web developers think and how they design I think that makes them more effective penetration tester it's a somewhat of a commoditized business today you can get someone to do the scanning vulnerability and scanning or the pen testing very inexpensively it's totally worth paying a little extra to get the human component of that so that you get actionable recommendations to the finalized findings 

[Music]

if you're talking about just getting in then you know that success rate is probably nearly a hundred percent now there's a difference between just getting in and then being able to either move laterally or move stealthily or complete the attack or complete the exploitation of the machine I think it's it's it's a better functional percentages probably around 80 percent of the time they're successful in finding a vulnerability and exploiting it to to its end meaning that they now would would would have control of the machine if they chose to do it regular tabletop exercises can help is dis ensure that it is prepared to respond quickly and effectively to a cyber incident at its most basic a tabletop exercise can test an incident response plan by checking that the appropriate people throughout the organization are identified and that lines of authority are established and agreed upon the actual scenario that is used for the tabletop exercise does not need to be technical or detailed although it should be somewhat realistic given the nature of the business and the risks that it faces the tabletop exercise should help ensure that there is effective communication between the incident response team senior management and other stakeholders in the organization finally it can be helpful to think of a tabletop as an opportunity to improve the Insane response plan not just as an exercise in validating the plan if you've ever been a part of a cyber incident not from the outside looking in but it's happened to you or to your organization it actually can be quite emotional for those employees those individuals involved in it it's really no different than coming in and finding that somebody has smashed the window to your office building and stolen valuables out of it or defaced the front of your store with with graffiti and and I think in that emotion mistakes get made evidence inadvertently gets destroyed or covered up wrong decisions get made which can hamper the ability to find out exactly what happened and when it happened and what got stolen so an incident response plan helps you avoid all of those early on mistakes as you deal with the fog of war as it were the so if you've gone as far to have a plan then it would make sense to test that plan from time to time there are a couple of different versions of this one is an executive tabletop these tabletops are really focused on the upper level management and walking them through a scenario of an attack happening and what each of them thinks their role is and what they would do as part of it what we find is there's a lot of learning first that not everyone can be the boss someone needs to be assigned the leader for that incident response and then other people have their roles and if everyone performs their roles well they they'll do fine the idea is to give them a scenario that they can walk through to determine what their responsibilities and roles are what they should be doing how they should be reporting who's going to report and the frequency of those 

[Music]

one thing to note about a tabletop exercise is you don't have to have necessarily a really detailed scenario where you would be getting down to forensic level detail now that has its place but the the important thing and the thing that I think you can do with your organization even on your own without use of an outside consultant or company is you can step through the tabletop exercise and make sure certain aspects of it are right you know there are there are some very simple things that often can get out of date in an incident response plan that a tabletop exercise will expose phone numbers email addresses all of those you know people change roles people change jobs so a chance to make sure that you have all of the right people still included in the plan and you know how to get a hold of them an important exercise that has to be answered in any incident response and should be explored in the plan is understanding the criteria of when you need to report publicly and when you don't need to report publicly that can literally mean whether business survives or not so that's an important aspect of a plan to understand you know when Symantec does a tabletop we use our incident response team for these we we take an approach to customize it we find that there's a lot more value to a team when you take their current incident response plan read it understand what they think they're going to do and then specifically design a tabletop to the plan it puts a lot of stress on the plan that way we also do things called injects and what will happen is as we're going through this custom design tabletop we will all of a sudden inject a new situation when you're done you'll have you know a nice report that says here's what we did here's how you responded but here are our recommendations and they're not recommendations for how to do a better table top their recommendations that how to do a better response so those need to be baked back into the incident response plan and then you know we see a lot of companies they're trying to do two tabletops a year at a minimum some are doing one a quarter so that they can be practiced because that's the important part of the table top not only do you build a better incident response plan but the more you practice something the better you get at doing it there is a different type of exercise it's called Red vs Blue Team Red Team Blue team exercise these exercises to me are really fascinating and fun and teams will learn a lot from them essentially once one team is the red team so they actually take the position of the attacker they are going to attack your company then you have the opposite side of that it's the blue team that's your normal incident response / information security team that will be attempting to detect defend and prevent and what you do is you have them work each side of that and then switch and work the opposite side and what it does is it enables your teams to understand what an attacker actually does how they use the techniques the tools and the practices that they have to usurp your security measures and get in because they're actually doing it somebody who's on the red team could try something they hadn't thought of trying before all of a sudden they now realize that part of our environment that we were going to ignore we thought was perfectly secure has a gaping hole in it that I hadn't thought of before now you go and you spend time there and you actually close a significant gap so that's advanced technical tabletop at the highest level finally companies that are in heavily regulated industries may want to consider a third-party compliance assessment to help ensure that an audit if one takes place does not produce unpleasant surprises having a recent compliance assessment by a reputable service provider in hand can be a significant positive factor in how regulators view a company in the event of a data breach during a compliance assessment a company should be prepared to provide the same documentation that would be required in an actual audit the documentation can include written policies and procedures relating to the company's cybersecurity as well as more technical materials such as network diagrams and system and software inventories in many cases regulators are particularly interested in third-party vendors who have access to sensitive systems and data so companies should be prepared to provide business associate agreements and other evidence of due diligence with respect to the selection and supervision of service providers when a company is doing a compliance assessment they should they should look for a couple of things you should begin by looking for a company that's interested in helping you improve your security you should you should approach those assessments by a security first standpoint so the the assessment or the certification should be a byproduct of a good security program I would certainly look for a company that if has experience in my industry segments whether it be retail or healthcare or what-have-you I would also look for a company that has done general consulting security consulting in that same industry and has good references was to do that you know you you want them to have a complete picture and capabilities in your in your industry or in cybersecurity and also be able to carry out carry out the necessary certification [Music] what a company should expect a few things that are pretty much standard across all compliance assessments one is being asked for evidence to support the testing of a control and what that means is the auditors are going to have a set list of controls whether it's PCI HIPAA whatever other assessment they're performing and that control may say all changes are approved by an executive so what they'll do is they'll come to you and say how do you do that how do you prove to me that all changes are made you know we're approved by an executive and they go well for every change control we have it's numbered and then an email is sent to the executive saying number 300 change control do you approve and they reply back saying yes and what the auditor will do is say okay can you provide to me every change control that you've done in the 12 month period we're assessing then they will randomly select a certain number of those the number depending on how good you were the year before or how good they think you were doing right now it could be anywhere from ten to thirty so as they hear thirty change control numbers give us those change controls what they were and also the email that came from the executive that notes that number that says they approved it so that's how they test that you're performing a control and that they have now evidence you're doing it right the way you say you do it using cyber security services effectively can be an important part of an organization's overall cybersecurity strategy in order to do so it is important to identify why a particular services being used in what is going to be accomplished different services may be appropriate depending on the business or organizations cyber security posture it is also important to define the scope of the engagement and to be prepared to follow through on any recommendations that may result finally as part of any risk management strategy businesses should consider whether cyber insurance can help to mitigate risks that cannot otherwise be entirely avoided thank you very much for your time today we hope you enjoyed this session of travelers cyber Academy on cybersecurity providers at your service if you have any further questions please contact us at trv cyber at ems travelers comm or for replay of this session to share with your colleagues and find additional resources on this topic please visit travelers comm forward slash cyber advantage  

(SPEECH)

[MUSIC PLAYING]

(DESCRIPTION)

Computer graphics twinkle behind the text, Access Key Required. A starred-out password is typed. A male figure holds an icon of a lock. Text, Travelers Cyber Academy - Cyber Insurance: Protect and Prevent.  

(SPEECH)

SPEAKER 1: In today's challenging threat environment, cyber insurance provides important financial protections against a range of different risks. Lost or stolen data is just the start. Cyber insurance may also help to protect against fraud, extortion, and business interruption losses. A good cyber policy provides more than just financial protection, however, it also provides pre-breach services that can help a company prevent losses and post-breach services that can help minimize losses when a cyber incident occurs.  

(DESCRIPTION)

Text, What we'll cover today.  

(SPEECH)

In today's session of the Travelers Cyber Academy, we will review coverage provisions that are available in most cyber insurance products, including those offered by Travelers. Cyber insurance typically helps protect against first-party losses, such as expenses associated with conducting a digital forensic examination and complying with breach notification statutes, as well as third-party liability, such as responding to lawsuits or inquiries from regulatory agencies. We will also describe different coverage scenarios to illustrate who needs cyber insurance and why. Finally, we will review pre-breach services that can help companies prevent losses, not just pay for them.  

(DESCRIPTION)

Threat word cloud.  

(SPEECH)

Cyber insurance helps to protect businesses and organizations in a complex and ever shifting threat landscape. If just one of these threats gets through a business or organization's defenses, the result could be a costly data breach, a disruption of business operations, regulatory inquiries, or lawsuits, or all of those.  

(DESCRIPTION)

Insurance coverages.  

(SPEECH)

Cyber insurance can provide both first-party coverages, which helps protect against losses that result from a cyber incident, as well as third-party coverages, which helps protect against liability claims, litigation, or regulatory inquiries that may follow from a cyber incident. Let's start by reviewing some of the first-party coverage provisions that may be available.  

(DESCRIPTION)

Remediation and Notification.  

(SPEECH)

Data breach remediation and notification coverage helps to protect a business when a data breach occurs. There are different kinds of events that can trigger this coverage, including unauthorized access to confidential information of others, such as PII, PHI, or PCI that is being collected, stored, or used by the business. When coverage is triggered, the policy responds by providing reimbursement for legal consultation with a breach coach as described in the earlier Traveler's Cyber Academy session-- "After The Breach, Whom to Call, What to Do." Where appropriate, the policy will also provide reimbursement for digital forensic investigations, which may be needed to determine the scope of the breach and the number and identity of affected individuals, and for notification expenses, including the cost to draft legally sound notification documents and to establish and maintain a call center to handle customer inquiries. The policy may also cover the cost of providing credit or identity monitoring services to the affected individuals. The limits and deductibles for this coverage are typically expressed in dollar amounts, but coverage may also be available on a per affected person basis. In other words, a business could obtain remediation and notification coverage up to a specified number of affected individuals, rather than a specific dollar amount. Purchasing coverage on an affected individuals basis can be useful for businesses that would prefer to determine the potential number of affected individuals, rather than the potential cost of notification for those individuals.  

(DESCRIPTION)

Coverage considerations.  

(SPEECH)

Coverage for remediation and notification expenses is needed by businesses and organizations of every size and sector, if a business or organization has employees, for example. The IRS recently warned about a scheme to steal W-2 information in order to commit tax fraud. The IRS described the scheme as one of the most dangerous email phishing schemes seen in a long time, one that has evolved beyond the corporate world and is spreading to other sectors.  

(DESCRIPTION)

Alert quote.  

(SPEECH)

In a hypothetical claim scenario involving a manufacturing company and 300 stolen W-2 forms, the net diligence data breach cost calculator estimated potential cost to the company in excess of $200,000. Similarly, this coverage is important for any business or organization that accepts or processes credit or debit card payments, that collects or handles protected health information under HIPAA, or that collects, stores, or uses any personally identifiable information. A business or organization cannot simply assume that it has not suffered a data breach because it has not detected one. Most data breaches are discovered by a third-party, such as a law enforcement agency or an outside cybersecurity vendor.  

(DESCRIPTION)

Cyber extortion.  

(SPEECH)

As described in the Traveler's Cyber Academy session on ransomware, criminals have also turned to extortion as a way of profiting from the compromise of the computer system or computer network. Cyber extortion coverage can help a business or organization that has fallen victim to ransomware by providing reimbursement for the costs of investigating a ransom demand, retaining legal counsel or other assistance in negotiating the ransom demand, and if necessary actually paying the ransom.  

(DESCRIPTION)

Business interruption.  

(SPEECH)

A business or organization may also suffer a loss of income when its computers and networks are attacked or compromised. This can happen, for example, when systems become infected with ransomware or through something known as a denial of service attack. In a denial of service attack, the business or organization servers are flooded with fake traffic in order to block legitimate traffic and impede normal business operations. Business interruption coverage helps protect businesses and organizations when their computers and networks are targeted by ransomware, denial of service attacks, and other malicious activity. Whereas, business interruption coverage addresses attacks against the business or organization's own network assets. A related coverage known as contingent business interruption protects against attacks or outages relating to the network assets of third parties on which the business or organization depends. Examples of such third parties include website hosting providers or cloud service providers. Both business interruption and contingent business interruption provide reimbursement for extra expenses incurred in order to mitigate losses, for example, by temporarily transferring critical web applications to a different server.  

(DESCRIPTION)

Coverage considerations - D.D.o.S. key.  

(SPEECH)

Every business or organization that relies on data or computers in the course of its operations should consider obtaining business interruption and cyber extortion coverage. According to Symantec's 2016 Internet Security Threat Report, denial of service attacks are growing in number and intensity and are likely to continue increasing. As to ransomware, hospitals and health care providers have been the most recent high-profile victims. But Symantec Special Report on ransomware in businesses found that almost every sector has been affected by ransomware in recent years.  

(DESCRIPTION)

Pie chart.  

(SPEECH)

The most frequently hit sectors in order were service industries, manufacturing, financial, public sector, and wholesalers. Ransomware, of course, may result in losses both from the extortion itself as well as business interruption loss. As ransomware, denial of service attacks, and other cyber threats continue to evolve and become more sophisticated, prudent businesses and organizations can look to cyber extortion and business interruption coverage to help protect against those threats.  

(DESCRIPTION)

Fraud coverage - payment screen on tablet.  

(SPEECH)

Cyber insurance may also include coverage for computer fraud and funds transfer fraud. Computer fraud involves the unauthorized use of a business or organization's computers to conduct a fraudulent transaction. Funds transfer fraud addresses fraud committed through spoofing, which does not necessarily involve the use of a business or organization's computers. In spoofing, a criminal poses as an employee and sends an email message or other electronic communication to a bank in order to conduct a fraudulent transaction. Coverage for social engineering fraud in which an employee of the business or organization is tricked or persuaded by a criminal to transfer money may be found in crime policies or other Travelers Insurance products.  

(DESCRIPTION)

Claim scenario.  

(SPEECH)

Fraud coverage is important for businesses and organizations that engage in business to business transactions involving wire transfers or other forms of electronic payment. Consider, for example, a scenario in which a criminal hacks into a company's accounts payable system and adds a new payee, causing a $350,000 payment to be sent without the company's knowledge. In this scenario, coverage for computer fraud could help protect the company from a potentially crippling financial loss.  

(DESCRIPTION)

Restoration.  

(SPEECH)

Finally, whether a cyber incident involves ransomware or some other malicious activity, there may be significant costs associated with recovering lost data, repairing damaged operating systems, and restoring applications and other important software files. Computer program and electronic data restoration coverage can help a business or organization defray these expenses, whether caused by a virus, a hacker, or even a disgruntled employee.  

(DESCRIPTION)

Third Party.  

(SPEECH)

In addition to protecting against their own first-party losses, businesses and organizations should obtain protection against third-party liability, such as lawsuits and regulatory investigations. The types of third-party coverages that are available include the following.  

(DESCRIPTION)

Network and I.S. Security.  

(SPEECH)

First, network and information security liability provides coverage against claims that allege a failure to prevent the transmission of computer viruses or other malware; a failure to protect confidential information of others, including PII, PHI, or PCI; a failure to provide access to authorize users; and a failure to comply with data breach notification obligations. This coverage also protects against claims that a business or organization failed to comply with its own privacy policy with respect to the protection of personally identifiable information.  

(DESCRIPTION)

Media Liability.  

(SPEECH)

Communications and media liability coverage helps protect against claims alleging copyright infringement, trademark infringement, trade dress infringement, and similar violations; infringements of an individual's right to publicity, including using an individual's likeness or appearance for commercial purposes without authorization; and defamation, libel, slander, and other forms of reputational harm. Coverage can be obtained for all the communications of a business or organization or specifically for claims based on email communications, social media platforms, internet websites, or other forms of electronic media. Finally, regulatory defense coverage provides protection in the event that a data breach results in a formal administrative or regulatory proceeding by, for example, the Federal Trade Commission or by the Department of Health and Human Services Office for civil rights. Coverage may also be available for resulting regulatory fines and penalties.  

(DESCRIPTION)

Coverage considerations.  

(SPEECH)

Nearly all entities that collect or store personally identifiable information should consider obtaining network and information security liability coverage to protect against the risk of being sued in the event of a data breach. According to the 2016 cyber claims study by Net Diligence, legal defense and settlement costs were included in approximately 10% of all cyber claims, with average total costs more than $900,000. In addition, regulatory defense coverage is critical for businesses and organizations that handle the confidential information of others, such as PHI, PCI, or PII. In particular, the regulatory environment is fast-paced and constantly changing. In March 2017, for example, the New York State Department of Financial Services finalized cybersecurity regulations that establish comprehensive requirements for financial institutions and affiliates, changing how those companies will be affected by a cybersecurity event. Also regulatory investigations can be costly in a hypothetical claim scenario involving a health care provider and 750 stolen patient files the net diligence data breach cost calculator estimated potential cost to the health care provider following a regulatory investigation in excess of $400,000.  

(DESCRIPTION)

Fines and Assessments.  

(SPEECH)

Coverage is also available for businesses and organizations that receive, handle, or process payment card information. As described in the Traveler's Cyber Academy session, "It's in the Cards, Payment Card Security," those entities may be required by contract to pay fines, fees, or assessments in the event of a breach of PCI data. This coverage helps to protect against the cost of conducting PCI forensic investigations, resulting fines, fees, or assessments as well as charge backs for fraudulent activity relating to stolen PCI. Depending on the extent of the breach, these costs can range into the millions of dollars. In addition, if a business or organization systems are found to be non-compliant with the PCI data security standard after a data breach, coverage may be available for the costs associated with coming into compliance and for obtaining a qualified security assessment in order to establish compliance.  

(DESCRIPTION)

Errors and Omissions.  

(SPEECH)

Companies that produce or provide technology goods or services should also consider obtaining errors and omissions coverage or tech E and O. This coverage provides financial protection against third-party claims, which may include claims that relate to technology products that do not meet required specifications, software that is buggy and is not performing as expected, or technology services that are not meeting customer expectations, resulting in financial harm to the customer or other third parties.  

(DESCRIPTION)

Exposure.  

(SPEECH)

In determining what kind of coverage is needed by a business or organization, here are some of the fundamental questions to consider. What sensitive information does the business or organization collect or store? This can include information obtained from customers, from employees, and from other businesses or individuals. How sensitive is the data? Certain kinds of information are inherently more valuable or more likely to lead to lawsuits or regulatory inquiries than others. How is sensitive data to be collected, used, shared, and disposed of? Data that is widely shared, for example, whether within a business or with outside parties, is obviously more vulnerable to compromise. And what systems or data does the business or organization depend on? If the operations of a business or organization rely on critical applications, data centers, or cloud services, there is likely a need for robust business interruption coverage.  

(DESCRIPTION)

Good insurance provides a package of benefits.  

(SPEECH)

The good cyber insurance policy will provide more than just financial protection. It will also provide access to other benefits, such as pre-breach services that can actually help a company prevent losses. According to the 2016 Cost of Data Breach Study by the Ponemon Institute, the average cost of a breach was lower for businesses that carried cyber insurance than for businesses that did not.  

(DESCRIPTION)

Four pairs of hands work on laptops.  

(SPEECH)

Here at Travelers we offer a range of cyber insurance products that fit the needs of businesses of all shapes and sizes. CyberFirst Essentials covers small businesses, including tech companies and professionals. CyberFirst focuses on mid to large technology companies and up, as well as public sector entities CyberRisk covers everything else, from private and non-profit entities financial institutions, going up to the largest publicly held companies. Additional information about these products can be found at www.Travelers.com/cyber or from your local independent insurance agent or broker.  

(DESCRIPTION)

Pre-Breach Services.  

(SPEECH)

In April 2017, Travelers announced that it engaged Symantec, one of the world's leading cybersecurity companies, to provide an array of valuable pre-breach services for Travelers cyber insurance policy holders including one or more of the following, depending on the type of policy purchased. Access to a cybersecurity assessment tool that can help businesses and organizations better understand their current cybersecurity posture, what is being done well, and where improvement is needed. Cybersecurity awareness training. Employees who have been educated about cyber threats are the strongest defense against both internal and external attackers. Educating your entire organization not only helps to minimize potential attacks, but can reduce internal security accidents. Discounts on cybersecurity products and services, such as Norton for small business software, DeepSight Intelligence, and Symantec Managed Security services. Access to cybersecurity expertise, through white papers, cybersecurity updates, or live access to a cybersecurity coach.  

(DESCRIPTION)

Policy, Protect, Business and Secure graphic.  

(SPEECH)

In sum, cyber insurance is an important risk management tool for businesses and organizations to use when addressing cyber risks. This is especially so as other lines of insurance are more regularly excluding coverage for cyber related incidents. However, coverage terms and availability can vary widely. So it is important for a business or organization to work with a trusted independent insurance agent or brokers to obtain coverage appropriate to its specific needs.  

(DESCRIPTION)

How a business can protect itself.  

(SPEECH)

A business or organization can better protect itself by understanding the cyber risks that it faces, by working with a trusted independent insurance agent or broker to obtain cyber insurance with appropriate first-party and third-party coverages. A business an organization can also benefit from the valuable pre-breach services that a good cyber policy provides to help improve its cybersecurity.  

(DESCRIPTION)

Contact email and information link.  

(SPEECH)

Thank you very much for your time today. We hope you enjoyed this session of the Travelers Cyber Academy on "Cyber Insurance, Protect and Prevent." If you have any further questions, please contact us at TRVCyber@ems.travelers.com. Or for a replay of this session to share with your colleagues and find additional resources on this topic, please visit travelers.com/cyberadvantage.  

(DESCRIPTION)

Copyright 2017, The Travelers Indemnity Company. Disclaimer – This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond issued by Travelers. In particular, this presentation is not a representation that coverage does or does not exist for any particular claim or loss under any insurance policy. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law. The availability of coverage referenced in this presentation may depend on state regulations and other factors. The Travelers Indemnity Company and its property casualty affiliates. One Tower Square, Hartford, CT 06183

[Music] 

the Internet Protocol which is the foundational communications protocol underlying the internet was established in 1982 at first the internet connected only a small number of universities research facilities and government institutions the internet was transformed as personal computers became ubiquitous at home and in businesses everywhere and it has continued to evolve with each wave of new technology from e-commerce mobile devices and social media to Internet connected devices like fitbit's home thermostats appliances and even cars each of these changes has brought new risks and new opportunities businesses that do not appreciate the risks or that fail to pursue new opportunities get left behind while businesses that understand the risks and are able to protect against them can take advantage of new opportunities to secure the future in today's session of the travelers cyber Academy IOT in the SMB we will look at how businesses today are using the Internet of Things we will also explore some of the risks associated with the Internet of Things as explained by Glenn Carl a Symantec cybersecurity professional who can be reached by Traveller's cyber risk and cyber first policy holders on the travellers cybersecurity coach helpline finally we will talk about ways that businesses and other organizations can mitigate those risks as they incorporate IOT devices and technologies into their operations most of us have heard of the Internet of Things we are surrounded by devices like phones cameras appliances and even light bulbs that are connected to the Internet and are thereby it more functional more convenient for us to use of course the idea of controlling real-world devices through computer networks is not new industrial control systems sometimes known as SCADA systems have long used the Internet to allow remote monitoring and control of industrial processes power plants transportation systems and maleic now those systems are sometimes being referred to as the industrial Internet of Things or III ot today IOT devices are proliferating in the consumer market and they're becoming increasingly more important for businesses as well according to Gartner there were approximately 6.3 billion I Oh T devices in use in 2016 including both consumer and business users that number is projected to more than triple by 2020 when over 20 billion IOT devices are expected to be in place the highest rate of growth is forecast for IOT devices that can be used across different industry segments such as smart meters smart lighting and other environmental control systems the use of crops industry IOT devices is expected to increase nearly fourfold by 2020 all told the economic impact from the use of IOT devices could range from three point nine trillion dollars to 11 trillion dollars by 2025 according to a study by the consulting firm McKinsey and company most of that value will be realized outside the home and consumer setting in places like factories work sites offices and retail environments how are businesses positioning themselves today to take advantage of these new opportunities first businesses are designing and building smarter products from refrigerators that can help order groceries and wearable devices that can promote healthier lifestyles to cars that will one day navigate and drive autonomously these devices combine Internet connectivity and a modicum of machine intelligence in order to provide greater ease of use and functionality many devices also collect diagnostic information about how they are being used this information can help ensure that the device is being used and maintained properly for example in addition to ordering groceries a smart refrigerator could order a new filter when it needs a replacement businesses can also use this diagnostic information to better understand how consumers are using a device and to drive product development for many businesses the value of the Internet of Things will come from improvements to their operations in production environments for example businesses are using sensor data from Internet enabled devices to optimize the performance of manufacturing equipment and processes which can reduce reliance on human judgments and observations that may be fallible businesses across the board can also benefit from using IOT technology for more efficient energy management in manufacturing and production processes as well as in the more efficient use of environmental controls such as lighting heating and air conditioning finally businesses can monitor equipment usage and performance data more closely allowing them to supplement or replace routine maintenance schedules with predictive maintenance this can help to extend equipment lifespans and avoid equipment failures that could result in significant production delays the Internet of Things is also having a significant impact on logistics and transportation for example businesses are using IOT data to enable intelligent supply chain management ensuring that the right materials are available at the right places when they're needed businesses are also using IOT data to improve fleet management helping to reduce transportation costs and they are tracking supplies and products more closely at a more granular level allowing them to provide better service to their customers while also reducing losses from waste and theft finally businesses are using IOT devices to provide for greater employee health and safety for example employees can be warned about dangerous conditions such as unbalanced loads or approaching vehicles employers can also use IOT devices to help identify employees who may be fatigued or injured IOT devices can also be used to conduct hazardous operations remotely reducing the exposure of a business's employees to actual physical injury security cameras and other Internet connected access controls can help to ensure that only authorized personnel have access to the workplace and to further limit access to sensitive or dangerous areas finally businesses can use the Internet of Things to provide a better customer experience in the retail environment customers can be identified from the mobile devices they carry or through facial recognition or similar technologies once inside the store customers can be offered discounts or promotions that are tailored to them based on their past shopping history or on the area of the store they are lingering in if a customer has shopped for a certain product online the retailer can direct them to the same product or to related products in the store thus blurring the distinction between online shopping and the bricks-and-mortar experience retailers can also use IOT devices to track general traffic patterns in a store and then use that data for shelf space optimisation and for better inventory management let's hear from Glenn Karl a cyber security professional at Symantec who is available to traveler cyber risk and cyber first policyholders through the traveler security coach helpline as he talks about the Internet of Things [Music] companies need to assess and understand the cyber risks that are out there including risks related to IOT devices this is the semantic cyber Insurance Center which we built to work with travelers to help cyber insurance policyholders improve their cyber security posture policyholders can reach us through the toll free security coach helpline or by completing the cyber resilience readiness assessment after completing the assessment policyholders can choose to send the results and the report here to the center where we can answer questions about threats vulnerabilities and security controls based on the data its cyber intelligence from the Symantec global intelligence network some of the key reasons are there's a reduction in operating costs that can be associated with IOT devices they can increase productivity using IOT devices correctly third of all is the expanding into new markets there are infinite amount of new markets that are out there one example being a couple of college students creating a smart trash receptacle that solar powered is a trash compactor and is interconnected with the waste management companies and the city so they know when to pick up the trash versus just doing it every day seven days a week the more IOT devices are out there since people are already moving to the cloud and then moving to the infrastructure you know I was I SAS and software service and infrastructures as a services they start to do that more it makes IOT more even more relevant and then if you combine that with automation and you combine that with artificial intelligence all of a sudden those things combined are what are dramatically driving the you know the change right now and that's where the productivity is going to come from you know we were at a bit of a plateau for a while I think with innovation but now it's take it off again and now just going to the next change these are the next changes that are go make the biggest impact on in the world and businesses small or large before businesses deploy IOT devices however they need to consider in way the potential risks first and foremost IOT devices that control real-world systems and processes can cause real-world damage if they fail or compromised many customers for example use smart thermostats in their homes it was widely reported last year that one brand of smart thermostat failed to work properly after a software update caused battery to drain too quickly resulting in freezing cold homes in the dead of winter in a more industrial setting it has been reported for example that the Ukrainian power grid was successfully attacked by hackers resulting in outages that caused approximately 225 thousand customers to lose power the attack originated with phishing emails a technique those described in the travelers cyber academy session on exploring the dark side of the internet after the attackers secured access to the computer networks of three utility companies in the Ukraine they were able to hijack several industrial control systems lock out the legitimate operators and remotely open the breakers at 27 substations the attackers also electronically sabotage communications devices that could have been used by the utility companies to bring the substations back online a second significant risk involving the Internet of Things is that IOT devices often collect data that can be linked to specific people such as the individuals using the device or employees or customers of the businesses using the device depending on the type of data being collected the loss compromise or misuse of collected data can be covered by privacy laws and can subject business to regulatory inquiries or lawsuits earlier this year for example prominent manufacturer of Smart TVs agreed to pay a fine to resolve a complaint brought by the Federal Trade Commission and state authorities in court filings the regulator's alleged that the company collected detailed data about TV viewing history without obtaining consent from the purchaser of the television although the company did not acquire or allow the acquisition of the purchasers name the practice was alleged to be an unfair and deceptive trade practice the third risk that businesses should consider is the potential for business interruption losses when IOT devices are incorporated into business operations we have already described one example when ukrainian power companies were attacked by hackers in another recent example a luxury hotel in Europe was forced to pay a Bitcoin ransom when hackers were able to seize control of the electronic key locks for all the guests rooms locking all the guests in the fully booked hotel out of their rooms more information about ransomware and bitcoins was provided in an earlier session of the traveller cyber Academy on ransomware unfortunately many IOT devices are vulnerable to attack indeed the FBI issued a public service announcement in 2015 warning that IOT devices could be hijacked and used for criminal activity if security precautions such as changing default passwords were not taken that came to pass last year when criminals began using IOT devices as part of the Mirai botnet these devices included Internet connected surveillance cameras Wi-Fi routers and even business printers that were vulnerable because they were configured with default administrator passwords in a simple botnet computers that have been infected with a virus can be controlled by a criminal known as a bot herder through a central command and control server information from the infected computers can be stolen by the bot herder and the botnet can be used to conduct denial of service attacks by flooding the victim with spurious traffic the Mirai banette upped the ante adding IOT devices into the mix of compromised devices Mirai was used to conduct several notable denial of service attacks including an attack against a service provider named dime DNS that caused a number of internet websites to go down let's hear from Symantec cybersecurity coach Glenn Carl on what makes IOT devices vulnerable and how companies can protect themselves when using the Internet of Things some of the biggest problems with the current IOT devices are the released with flaws already built into them some don't have food sector protections so that people get that compromised the device and take it over a lot of devices don't have encryption built into them therefore the data on them is vulnerable and their communications are also vulnerable many devices don't have a way to patch firmware or to patch the operating system making them again vulnerable when somebody cracks one of those devices they now own every one of those devices that's out there then the default passwords many devices that people don't reset the default password so anybody that finds out with the default password which is just in the device documentation they can then own that device take it over and do what they like with it some real-world IOT hacks that have happened out there is the most famous being Stuxnet which was an attack on an Iranian uranium enrichment facility they had a worm that attacked the centrifuges that were making the enriching uranium and they were able to bring those down slow them down caused all kinds of havoc there's been a number of medical devices that have been you know ethically hacked at this point and one of them being a pacemaker that University students were able to control the the speed and the increasing decrease the speed of the pacemaker another medical device internet same ethical hack was an insulin pump that had been compromised where they were able to increase or decrease insulin flow obviously causing safety issues another example of IOT devices being vulnerable was this happened in the auto industry there's been many but one of the first ones was the 2014 Jeep Cherokee that was able to be you know ethical hackers were able to manipulate the braking system and they were also able to manipulate the transmission which obviously is a huge safety concern the companies need to assess and understand the cyber risks that are out there including risks related to IOT devices here at Symantec for example we have an ethical hacking competition that involves things like mock oilfields ATM machines and other IOT devices as companies deploy the Internet of Things devices they're going to want to ensure that these devices are tamper proof that their ports are protected that their boot sectors are protected that their operating systems are protected they're also going to want to ensure that these devices can be updated that the firm one or command can be activated that the operating systems can be patched they're going to want to make sure they change default passwords so that they're not easily accessed they're going to want to make sure that they're segmenting those devices off onto a separate network and that that traffic is controlled and firewalled and lastly they're going to want to ensure that these devices are encrypted so that they're protecting the data it's on them but also protecting the data that's in transit in short the Internet of Things presents opportunities and risks the businesses cannot afford to ignore as businesses start using IOT devices more and more they should focus early on security and privacy issues this is true for businesses that actually build IOT devices as well as businesses that are adding IOT devices to their operations IOT devices that collect or process sensitive data for example should encrypt the data when it is stored and transmitted when it is necessary to use IOT devices that may be insecure it is important to use compensating controls to protect them for example place the devices on a segment and part of the network or use firewalls to control the types of traffic that are permitted to and from the devices it is also important to use devices that can be patched and updated if security vulnerabilities are found and to plan for how those patches will be applied after the devices are installed of course when installing IOT devices make sure to change or disable default passwords and accounts and as always consider obtaining appropriate insurance coverage to help manage your cyber and privacy risks thank you very much for your time today we hope you have enjoyed this session of the traveler cyber Academy on IOT in the SMB secure the future if you have any further questions please contact us at trv cyber at ems travelers comm or for a replay of this session to share with your colleagues and find additional resources on this topic please visit travellers comm forward slash cyber advantage  

[Music] 

welcome to the travelers cyber Academy a webinar series on cyber security and cyber risk management businesses everywhere you systems like firewalls and antivirus to protect sensitive systems and data from hackers these systems generate data sometimes the luminous amounts of data that can contain valuable information about an attack that is happening or is about to happen finding that information is the job of the sock the security operations center or sock is the nerve center of a business or organizations cyber security operations the sock is responsible for monitoring systems networks and applications and for investigating and responding to potential cyber security incidents even a small or medium-sized business that does not have a dedicated sock needs to perform those critical functions during today's session of the travelers cyber Academy we will go inside the fire I sock in Reston Virginia where we will hear from fire eyes Robert Willis about the cyber threat that keeps him awake at night and the four types of cyber threats that companies face today we will also hear from fire I lead security analyst Nick Schroeder who will describe the cyber attack life cycle and why it matters to today's businesses we will cover traditional network defense tools and technologies which help companies detect attacks early in the attack lifecycle and we will hear from Robert and Nick how cybersecurity is evolving going beyond firewalls and antivirus in order to help companies protect against today's most dangerous cyber threats [Music] [Music] the threat that keeps me up at night is the date at that this is targeted it's persistent its goal is political or economic gain often referred to as advanced persistent threats threats can be categorized basically in the four groups the first is the nuisance threat it's often referred to as commodity this is an automated attack it's not targeted the goal is access and propagation and when you think about the nuisance threat think botnets and spam the second type of threat is hacktivism this is thinkin onymous right everybody's heard of anonymous this is about website defacement they're doing it for press they're doing it for policy the goal of that is to really disrupt things the third type of threat which is data theft or cyber crime it's a targeted attack it's persistent you know they're well-funded their goal is cyber espionage finding out secrets of companies potential mergers and acquisitions they're trying to access trade secrets the the last threat is the financial duress the goals think credit card def dry you've heard of big breaches and the media where credit card data was taken I think cybercrime is is interesting because it can impact anybody use the small mom-and-pop shop processing credit cards up to the big retail organizations like Target or home depot this is really about financial gain getting those credit card numbers and telling those credit card numbers or using those credit card numbers for you know evil they're highly sophisticated they have tools and techniques are constantly evolving they're well-funded and don't know how you know it's a business as a director fire I oversee and the security operations centers our objective is to protect our customers worldwide by providing 24 by 7 security operations monitoring fire I protects fortune 500 companies and also the smaller Main Street business type of customer it's not super large maybe not doing really big defense contracting or are things that people would associate as being a target company but what we've seen is that you know a lot of these smaller companies they get a false sense of security they deploy you know technology and they check all the compliance boxes and then their supplies when they get compromised I think everybody needs to worry about cybercrime if you're a small business and you're processing credit card data and that credit card data was to be breached and compromised and shared not only the brand damage it could put you out of business basically the other thing that we've seen that a lot of companies you know probably don't even take into consideration we've seen small companies 20 30 employees working with a big company and in their working relationship they have some type of connectivity between their networks an attacker could access that smaller company and go through emails or data and find everything that they need to know about that larger company without even you know accessing that that larger companies network and it's genius because who would think that you would have a threat coming from a trusted Network so yes small companies Main Street companies that you need to be concerned about size cyber security so it's a real risk [Music] one way for a business to protect consumer risks is to use a security operations center even a small business have many different security systems that generate alerts and other security related data these systems can include firewalls spam filters intrusion detection systems data loss prevention systems and file integrity monitoring systems to name just a few in addition there may be hundreds or thousands of users on the network whose computers can generate security alerts weather from antivirus software or from other systems and applications the security operations center protects the integrity of the network by collecting alerts and other security related data triaging and analyzing the data and responding appropriately let's find out from fire I lead security analyst Nicholas Schroeder what he looks for when responding to an alert what we do is we look for anomalies on systems or inside of networks these are things that technology maybe can't detect and it takes a human to determine whether they are evil or not so when we talk about hunting there's two different things that we need to go over so you have your typical basic technology and your perimeters the basic technology would include firewalls and antivirus and IPS or IDs these devices all work on signatures or or behavior type analytics what these are going to do is these are going to look for things that are already known bad so vendors will release signature sets of activity that has been previously determined as evil now when we talk about hunting what hunting does is we look for things that signatures don't hit on things that may or may not be bad things that people don't know about yet we're able to pull data back from the fire I appliances and the fire right devices comb through that apply analytics to that and determine if something is evil or not the first thing that's going to happen we know alert fires in a customer environment is the analyst is going to log into the console so the console this is a centralized location where all the alerts from all the fire I devices from or manage customers come in to our back-end these alerts are ordered in severity and priority we're like a priority one would be more important to look at them let's say a priority three we're going to go look at the alert we're going to determine what that alert is and what the signature a fired on is exactly looking for for example for a network signature we're going to make a determination if that network traffic matches that network signature if we find the host where the traffic is being generated we can do a deep dive into a forensic investigation into that host to make a determination of what application is making the connection if it's malware what are the next steps we should do is there anything else in the network that's infected or is there any other systems are there any other fire I customers that were seeing similar traffic to where's the traffic going what is this what is the traffic trying to do so things like this are all what analysts are doing when we're analyzing alerts so for example here when we would look at this network traffic will be looking for things such as source destination what protocols are being used things that would help the analyst make a determination whether or not this piece of traffic as malicious or not here if I I when we're responding to these different type of alerts we always want to try to catch the attackers as early in the attack lifecycle as possible so the first days is the initial compromised days this is typically going to be where the attacker will send what's known as a spear phishing email to a victim inside the network after the attacker has gotten credentials or gotten access to the system they're going to want to try to establish a foothold establishing a foothold from an attacker is typically done through back doors or other types of malware that the attacker can communicate with from outside to inside the company the next thing the attacker is going to want to do is escalate the privileges depending on how the back door is deployed the attacker might only have low level credentials where they would want something higher such as an administrator having administrator level credentials will allow the attacker to explore the entire network at an elevated level once an attacker has elevated privileges they're going to want to explore around the network looking to see what you have or looking to see what is available for stealing this phase is called the internal reconnaissance phase they're going to start moving laterally which is the next phase of the attacker life cycle moving laterally can involve things such as moving from computer to computer or moving files from different computers ready to stage them 4xl tration while attacker is moving laterally they may find themselves on a system or a different segment of the network they didn't have access to previously so then they're going to want to back up again and maintain persistence on that segment as well completing the mission involves things such as exfiltrating the data it also may include the attacker cleaning up their tracks such as the leading logs removing the back door or modifying timestamps of existing applications in order for a business to protect its critical data assets and infrastructure it must monitor its computers and networks closely for signs of attack the earlier in the attacker lifecycle that attack can be detected the easier will be for the business to respond effectively and prevent the loss of data let's see how the Security Operations Center pulls together data from different cyber defense tools and technologies in order to disrupt the cyber attack life cycle as described in an earlier session of traveler cyber academy firewalls filter network traffic both inbound and outbound based on characteristics like the source the destination with a communications protocol being used firewalls can also be used to segment a corporate network so that computers use for credit card payment processing for example cannot be accessed from less secure parts of the network properly configured firewalls can help prevent the initial compromise of the network and can also block an attackers attempt to move laterally firewalls traditionally focus on routing information not the actual content of the network traffic content filters such as a spam filter on an email server provide the next level of defense these systems try to identify malicious email messages and attachments by examining the contents of the message as well as metadata contained in the email message header well it is a good first step to identify and delete those licious emails it is better to also investigate whether the emails are merely part of a commodity spam campaign or whether they are part of a spear phishing attack that is specifically targeting the business and its employees later in this webinar fireEye's nick Schroeder will describe a more advanced technique in which malicious files are automatically identified and allowed to run in a secure environment in order to obtain Intel about what they are doing and how to better identify them if an unwary user clicks on a link and malicious email message or on the Internet antivirus software may be able to prevent the attacker from establishing a foothold on the user's computer antivirus software is designed to detect files containing malicious software also known as malware antivirus identified malware by matching virus signatures to the contents of a file or by using more advanced techniques like examining how the file behaves antivirus software can be configured to scan files such as email attachments as well as removable media devices such as CDs or USB drives once an attacker has established a foothold on the network the next step is typically to escalate privileges file integrity monitoring systems can help prevent that by ensuring that any change to critical operating system files will be detected when an attacker attempts to conduct internal reconnaissance on a network or to move laterally these efforts can sometimes be detected and thwarted by an intrusion detection system or intrusion prevention system these systems look for unusual patterns network traffic or for changes to the configurations of computers or network devices they indicate the security compromise has occurred the data loss prevention system can help to stop an attack from completing its mission actually exfiltrating data from a compromise network DLP systems can recognize sensitive data that is being transmitted on the network by monitoring for specific files or data by pattern matching or by using digital fingerprints or hash values among other techniques finally many businesses use a security incident event management or sim system to perform some of the functions of a dedicated sock where they're using a sim system or a sock it is important for businesses to track investigate and respond to security incidents and a thorough in the systematic manner even with all these defensive measures cyber criminals are sometimes still able to succeed let's hear from fireEye's nick Schroeder and Robert Willis about some more advanced security measures and about what company should focus on to prevent Network intrusions the technology is changing all the time for example here at fireeye we have what's called the MDX technology now what this technology allows us to do is wind threats are coming into the network it allows us to detonate the threats now detonation means we actually execute the now where someone like firewalls or intrusion detection systems that will just drop the traffic or block it or not allow it the MVX technology will actually take the malicious binary that is attempting to enter the network execute it and make a determination whether or not if it's malicious or if it's okay or benign and allow it to pass through additionally during the execution we're able to collect intelligence from the binary or from the execution sequence we can then take that intelligence and apply it across the fire ice pack of technologies one of the primary advantages of using fire rises service versus building out your own sock is community protection and the best way to understand community protection is with an example so let's say you're a finance company and you're a fire eyes a service customer there's another finance company that's breached during the investigation we find evil we've ever seen before there's two things that we're going to do immediately one we're going to create some type of detection methodology that we can use to deploy to all the customers to find out if any of them have been compromised the second thing we're going to do is try to figure out how were they compromised in the first place let's just say it was an exploit a flash or java we can then go to our other customers and sakes one of your peers was breached we have detection in your environment for your protected and also here's how they did it they compromised Java if you patch Java with this release you're now protected that's community protection and it's powerful having a robust cybersecurity program is essential when you're building out your program be sure to give it the attention it deserves having multi-factor authentication on all critical systems can help limit the amount of damage and attacker can do after you build out your cybersecurity program I strongly recommend going with a third-party provider like me and Ian to do a security program assessment this way you can identify any gap having detailed logging enabled on all critical systems can help you respond to breaches faster by knowing exactly if what an attacker did remember the breach is inevitable it's how you respond that matters be sure you have a robust into the response plan and be prepared to execute on it thank you very much for your time today we hope you enjoyed this session of the travelers cyber Academy the sock frontline of cyber defense if you have any further questions please contact us at ERV cyber at EMF travelers com or for a replay of this session to share with your colleagues and find additional resources on this topic please visit travelers calm forward slash cyber advantage  

[Music]

welcome to the travelers cyber Academy a webinar series on cyber security and cyber risk management our topic for today is protected health information or pH I everywhere you don't realize in this presentation we will be mystified protected health information also known as pH I what is pH I and how is it different from personally identifiable information known as PII we will explain why pH I is so valuable and why it needs to be handled differently than other sensitive information mishandled pH I can have serious consequences in particular pH I is regulated under a statute known as HIPAA we are all familiar with signing HIPAA releases at the doctor's office but what does HIPAA really require and what is needed for HIPAA compliance we will explore some of the main components of HIPAA and explain why compliance needs to be taken seriously lastly we will cover some basic cybersecurity principles to help protect pH I within your organization and beyond protected health information or pH I under HIPAA is any information about health status provision of healthcare or payment for healthcare created or collected by a covered entity or a business associate of a covered entity that can be linked to a specific individual some obvious examples of pH I include test results treatment plans medical charts insurance information photographs and many other kinds of health and medical records in addition to the different kinds of medical records that we just mentioned there is personally identifiable information such as name date of birth social security account number and even driver's license number together all these make up ph i protected health information on the black market protected health information is worth 10 times more than stolen financial information like a credit card number for the individual whose ph i has been stolen it can be much harder to repair the damage than it would be to close a bank account or credit card account stolen pH I can be used by criminals to obtain narcotics and other prescription drugs to commit medical fraud where victim's identity and insurance benefits are stolen in order to obtain medical treatment or to commit medical insurance fraud in which a treatment provider submits fraudulent claims for treatment that was never provided pH I can also be misused to damage or to threaten damage to the reputation of an individual either to commit extortion or cause harm for example by making public and individuals embarrassing diagnosis or substance abuse history the following fictionalized narrative demonstrates the dangers of mishandled pH I my name is Rachel and here is my story i recently tried to donate blood for the first time at a local blood bank i was shocked when i was told I could not donate I investigated and discovered someone had illegally used my protected health information specifically my health insurance credentials to receive treatment at a leukemia cancer center in California now this treatment is part of my medical history rendering me ineligible for blood donation to date I have not been able to permanently remove this false information from my medical history in the end I was provided a correction letter that I'd carry in my wallet in case I need it but to be honest I worry about this every time I seek medical treatment the definition of pH I refers to covered entities so what are covered entities covered entities are those that collect and store pH I directly due to the nature of their operations they fall into three main classifications health care providers include everything from multi facility hospital health care systems to the loan general practitioner operating out of the neighborhood office any entity providing direct patient care is a covered entity including doctors dentists optometrists and audiologists mental health professionals chiropractors pharmacies in medical laboratories covered entities also include health plans such as HMOs company health plans and government programs such as Medicare and Medicaid finally the healthcare Clearinghouse is a covered entity these are entities that process non-standard health information into standard form an example would be a company acting as an intermediary between patient care and patient billing checking for errors and ensuring that standard codes have been used most health care providers and other covered entities need to share pH I with other companies in order to do business under HIPAA these companies are called business associates for example a medical office may need to share patient pH I with a billing service the transcriptionists answering service or even a record storage facility the contracts between covered entities and business associates otherwise known as business associate agreements are required to include provisions regarding HIPAA compliance so that business associates share in the responsibility to protect and secure thi the following fictionalized narrative demonstrates the dangers mishandled thi my name is john and i'm the owner of well be pharmacy law enforcement recently notified me that my pharmacy had been involved in a fraudulent prescription ring following a criminal investigation it was discovered that one of my trusted employees linda had illegally accessed and distributed the pharmacies patient protected health information linda had been the pharmacy assistant for ten years and had full access to the network system which included all patient information she used this access to obtain himself the names addresses birth dates and prescription details of more than 600 individuals she saw this information to an organized crime ring who used it to illegally purchase prescription drugs beyond the criminal ramifications of her actions via them also was considered a breach of protected health information therefore the breach needed to be reported to the Department of Health and Human Services and handled in accordance with HIPAA regulations the pharmacy has notified all 600 individuals affected by the breach this process has proven to be very expensive the pharmacy was found not guilty of any criminal act although the same cannot be said for Linda now the office for civil rights is in the beginning stages of a HIPAA compliance investigation just knowing that pH I needs to be protected is not enough it is also important to think about where pH is stored and how it spreads throughout an organization pH I also spreads outside an organization for example from a hospital providing direct patient care to all of the business associates that it uses both the hospital and its business associates must adhere to HIPAA regulations in the end pH I is everywhere in businesses spread throughout every city and every town all of this pH I is primarily regulated by two federal statutes HIPAA and a companion statute known as high-tech HIPAA was enacted in 1996 it established for the first time a set of national standards for defining and protecting personal health information hi-tech the health information technology for economic and clinical health act was enacted in 2009 hi-tech broadened HIPAA to cover business associates and added requirements to protect pH I stored an electronic form hi-tech also mandated more rigorous enforcement including a regime of regulatory fines and penalties the office for civil rights within the US Department of Health and Human Services is the strong arm of HIPAA tasked with enforcing its regulations hippo started with five rules covering privacy security enforcement unique identifiers in transactions and code sets high-tech added a rule regarding breach notification let's take a closer look at the privacy security and notification rolls along with the enforcement of those rules the Privacy Rule lays out the who what and when of pH I it identifies covered entities and business associates the entities who are regulated under HIPAA it defines what is considered protected health information finally it specifies when it is acceptable to share pH I it is only acceptable to share pH I and specified circumstances such as when required by law or reporting abuse and neglect or when the individual to whom the pH I relates has provided written authorization remember thi can be digital paper or oral the security rule defines standards procedures and methods for protecting electronic thi that cover how pH is stored access transmitted and audited the security rule includes three kinds of controls first administrative safeguards these focus on internal organization staffing and policies and procedures that protect pH I examples of administrative safeguards include implementing role based network access controls and providing appropriate training for employees and staff second physical safeguards these relate to protecting the building's equipment and data from environmental hazards and unauthorized intrusion examples of physical safeguards include keycard access to computer rooms and privacy screens on computers third technical safeguards these focus on the use of technology to protect information and prevent unauthorized access examples of physical safeguards include the use of multi-factor authentication and encryption tools under the breach notification role covered entities must notify all affected individuals in writing within 60 days after their health information has been breached if a breach occurs at a business associate the business associate must notify the covered entity it's served so that the covered entity can notify the affected patients in addition a toll-free number must be provided for at least 90 days so that the affected individuals can obtain more information about the in notification must be provided to the Department of Health and Human Services if the breach affected 500 or more individuals notification must be made without unreasonable delay and no later than 60 days otherwise notification must be made within 60 days after the end of the calendar year the covered entity us also provide notice to prominent media outlets serving the state or jurisdiction for example a press release announcing the breach the Department of Health and Human Services has a searchable online database reported breaches affecting more than 500 individuals these breaches can be searched and viewed publicly the database includes brief summaries of the breach cases that OCR has investigated and closed as well as the names of private practice providers who have reported breaches of unsecured protected health information it is not just federal HIPAA and hitech regulations the healthcare providers must follow as of February 2017 47 states also have their own laws and regulations regarding data breach notification requirements that apply the PII in general 12 states have specific requirements pertaining to breaches of health-related information the following fictionalized narrative demonstrates the dangers of mishandled pH I I'm a professor at the local university our university's main objective is education however we do have a research lab a medical clinic and a speech lab as part of our campus operations having these components makes us a hybrid entity in the eyes of HIPAA which means we are required to designate and adhere to HIPAA regulations within those areas we take HIPAA compliance very seriously and have procedures and policies in place to ensure compliance within the research lab and medical clinic on campus unfortunately the university failed to recognize that the speech lab was hand health care information it was not designated as a health care component and the computers lacked the necessary security controls required under HIPAA so when one of the speech lab computers was the target of a malware attack and protected health information was accessed it was a breach of privacy the attack resulted in stolen pH I for 1,300 students the university was responsible for notifying each of the affected students and reporting the breach to the Department of Health and Human Services the breach was made public record on the HHS breach database it was also necessary for the university to hire a firm to conduct a forensic investigation to determine the extent of the damage by the attack the university took a reputational hit when the breach was made public along with spending an exorbitant amount of money on the notification and forensic responsibilities just when we thought we had put this matter behind us the office for civil rights came in and conducted their own formal investigation and determine the university was guilty of failing to designate the speech lab as a health care component of the university and in violation of HIPAA a hefty fine and corrective action plan or the end result as part of its continued efforts to enforce HIPAA compliance the Department of Health and Human Services office for civil rights has begun its next phase of audits covered entities business associates can be selected at random to be audited the phase 2 HIPAA audit program will review the policies and procedures adopted by covered entities and their business associates under the privacy security and breach notification rules if a covered entity or business associate fails an audit the OCR may implement a corrective action plan to improve controls along with assess fines and penalties is found in violation of HIPAA when a breach has occurred there are four categories of violations that reflect increasing levels of culpability fines are calculated per violations each individual's health record lost in the breach is counted as a violation the lowest level of civil money penalties applies when a covered entity did not know and by exercising reasonable diligence would not have known that it violated a provision of HIPAA the penalties are no less than a hundred dollars and no more than fifty thousand dollars for each violation the next level of civil money penalties applies where it is established that the violation was due to reasonable cause and not due to willful neglect the penalties are no less than one thousand dollars and no more than fifty thousand dollars for each violation the third level of civil money penalty supplies where it is established that the violation was due to covered entities willful neglect but it was timely corrected the penalties are no less than ten thousand dollars and no more than fifty thousand dollars for each violation the highest level of civil money penalties applies when it is established that the violation was due to a covered entities willful neglect and it was not timely corrected the penalties are no less than fifty thousand dollars for each violation HIPAA fines and penalties have been steadily growing over the past few years 2014 so approximately eight million dollars and assess fines 2015 so approximately 15 million in total fines in 2016 so approximately 24 million in fines who knows what 2017 will bring so how can a business protect itself here are a few things that can be done encrypting pH I within data at rest in transit or on mobile devices helps to ensure that pH I is protected in the event of a cyber incident an incident response or breach action plan is critical in detecting analyzing and respond ending to a breach ensuring your vendors are maintaining adequate security controls and having compliant agreements in place help to ensure that you are properly vetting your service providers educating employees on appropriate privacy and security issues is essential having strong network security controls helps to mitigate the risk of a breach thank you very much for your time today we hope you enjoyed this session of the travelers cyber Academy if you have any further questions please contact us at TR v cyber a TMS travelers calm for a replay of this session to share with your colleagues and find additional resources on this topic please visit travelers calm forward slash cyber advantage 

welcome to the travelers cyber Academy a webinar series on cybersecurity and cyber risk management our topic for today payment card security many of the biggest breaches that have been reported to date have involved the loss of payment card information credit card or debit card account numbers account holder names pins and expiration dates this kind of information has traditionally been a value to cyber criminals because it can be used to buy goods and services online including services like internet hosting that are then used to facilitate more criminal activity stolen payment card information can also be used by cyber criminals to create counterfeit credit or debit cards banks and businesses lose billions of dollars each year from fraudulent payment card transactions in today's session of the traveler cyber Academy we will explain how payment card transactions work and describe to industry standards that are intended to protect cardholder data and to reduce the losses from fraud the payment card industry data security standard or PCI DSS and the europay MasterCard Visa or EMV standard for chip based smart cards we will also hear from Seth Harrington an attorney who has represented major companies after they experienced significant data breaches he will describe the possible consequences to a business of failing to comply with those standards and how businesses can and should protect themselves everyday Americans conduct millions of financial transactions by swiping their credit cards debit cards or prepaid cards at point-of-sale terminals across the country approximately 500 billion dollars of payment card transactions are made during the fourth quarter alone when the holiday shopping season is in full swing even with the advent of new payment technologies payment card transactions remain an inescapable part of daily living let's take a closer look at how payment card transactions work so that we can better understand what businesses are doing in order to make them more secure as we will see later in the webinar

How do payment card transactions work?

there are many ways that payment card transactions can be processed but we will start by describing a very typical scenario first the cardholder presents a payment card to a merchant the card is swiped at a card reader which reads information from the magnetic stripe on the back of the card including the cardholders name the account number and the expiration date this information is sent through the stores point-of-sale system to a corporate server where the credit card information is stored merchants have traditionally stored this information and ordered process returns and to provide other services for their customers the merchant then sends the payment card information to a payment processor which is responsible for among other things forwarding the information to the bank that issued the credit card the bank that issued the credit card will decide whether to authorize the transaction looking at information such as the account limit the size of the transaction and whether there are indicators of fraud if the issuing bank approves the transaction the authorization is sent back to the merchant which then proceeds with the transaction in this scenario the payment card information that is being sent between the store the payment processor and the bank can be stolen if any of them are compromised indeed criminals are remarkably good at 

Merchants should care about protecting card data

stealing payment card information in 2014 more than 30 million consumers in the United States had their credit or debit card information breached credit card fraud is an expensive problem for banks merchants and consumers in 2015 payment card fraud losses in the u.s. reached almost 8 billion dollars to address these problems the payment card industry has promulgated two standards the PCI data security standard or PCI DSS which addresses the problem of data breaches and the EMV standard which addresses the problem of counterfeit payment card fraud together these standards go a long way providing more security for payment card transactions let's take a closer look at these standards starting with the PCI data security standard the payment card industry data security standard is issued by the industry security standards Council led by representatives of major card brands such as Visa MasterCard American Express and Discover the standard is not a law like a breach notification statute but is enforced through contracts between the card brands and the bank's payment providers and Merchants that accept or process cards of that brand each card brand also sets requirements for compliance with the standard and consequences for non-compliance the PCI data security standard applies to all entities that have agreed by contract to comply with it in effect all entities involved in payment card processing as well as entities that store process or transmit cardholder data this includes retailers and other merchants of course as well as payment processors and banks both issuing banks that issue credit cards to customers and acquiring banks which are the banks seized by merchants to accept payment card transactions the standard protects the card holders name the account number or pan and the expiration date it also protects the three digit security code sometimes known as cvv2 or CVC - that is found on the back of most payment cards finally the standard protects the data stored on the magnetic stripe on the back of most payment cards the standard includes six control objectives which are associated with 12 security requirements the first control objective is to build and maintain a secure networking systems with to associate requirements one install and maintain fire wall to protect cardholder data and to change default vendor passwords and security configurations the second objective is to protect cardholder data the third objective is to maintain a vulnerability management program the fourth objective is to implement strong access controls the fifth objective is to monitor and test networks regularly then the last objective is to maintain an information security policy for each of the 12 security requirements the pci data security standard provides more detailed sub requirements and guidance as well as procedures for testing compliance with the standard for example if we drill down on one of the 12 requirements restricting access to cardholder data based on a need-to-know the PCI data security standard establishes several sub requirements access to systems and cardholder data should be limited to employees whose jobs require such access based on the employees job function and classification access controlled technology should be in place that only allow access when access is specifically granted and written policies and procedures should be used and made known to assess compliance with this requirement the PCI data security standard specifies that the written policy on access controls should be examined that a sampling of job functions and classifications be checked for compliance with the policy that interviews be conducted of employees and managers and that access control systems are in place and properly configured each card brand like Visa Mastercard or 

PCI DSS: What is required for compliance? 

American Express sets its own requirements for compliance Visa and MasterCard for example have grouped merchants into four categories or levels based largely on the number of card transactions conducted each year Merchants that conduct no more than 1 million transactions each year including no more than 20,000 ecommerce transactions are level for merchants merchants that conduct no more than 1 million transactions with more than 20,000 e-commerce transactions are level 3 merchants merchants that conduct between 1 million and 6 million transactions are level 2 merchants and Merchants that conduct more than 6 million transactions each year are level 1 merchants Visa and MasterCard require that level 1 merchants established clients with the pci data security standard by submitting a report on compliance which is most often prepared by an external qualified security Assessor or qsa other merchants may establish compliance through self assessment questionnaires in addition there are requirements for network scans performed by approved scan vendors which must be done on a quarterly basis the second payment card standard that we will cover today was first developed by europay MasterCard and Visa and is known as the EMV standard the EMV standard covers the use of payment cards with integrated circuits or chips built into them the EMV standard also addresses tap to pay methods such as Apple pay but we will focus today on the chip card technology when a customer uses an EMV card the card is dipped into the reader rather than swiped the chip is used to authenticate the card or in other words to establish that the card is genuine and is not a counterfeit card the chip on the card contains one or more programs which can vary depending on card issuer that can generate a unique cryptographic code for each transaction a form of digital signature in other words instead of passing static information such as the cardholder name and the primary account number which is what we saw earlier in the traditional payment card transaction an EMV transaction includes dynamic data that is different for each transaction let's see how that works as before the customer provides a payment card to the merchant the EMV standard does not require encryption of the payment card data which can be stored by the merchant however assuming both the card and the payment terminal are EMV compliant a unique code authenticating the card will be generated from there the transaction is essentially the same as before except the unique code is also passed to the issuing bank which authorizes the transaction only if the code was generated correctly of course most EMV cards can still be swiped at traditional card readers that are not EMV compliant in that case the chip is not involved and the unique digital code is not generated so it is possible to use a counter for EMV card at a non EMV terminal it is much more difficult however for criminals to use a counterfeit EMV card at an EMV compliant terminal for this reason Bank shifted liability to merchants in October 2015 for fraud losses associated with counterfeit EMV cards with respect to merchants that have not upgraded to EMV compliant terminals banks generally remain responsible for fraud losses associated with the use of counterfeit non EMV cards finally many merchants 

Adding encryption and tokenization for greater security 

payment providers and banks are going even further than PCI DSS and EMV standards to protect cardholder data through technologies such as encryption and tokenization when encryption is used the payment card data can be encrypted at the payment terminal so that is not visible at either the point-of-sale terminal or anywhere else along the merchants network at the issuing bank if the transaction is approved a token that represents the transaction is generated and sent back to the merchant the merchant can then store the token for you some processing returns and providing other services instead of storing the card account number even if the token is compromised it will be of no value to a criminal as you can see significant progress is being made in reducing the likelihood and cost of payment card data breaches and counterfeit card fraud through the adoption of new standards and technologies what happens when a company does not comply with those standards for an answer to that question let's hear from attorney Seth Harrington a data breach expert in any data breach particularly data breach involving the personal information an entity will face a number of potential exposures the loss of reputation and goodwill business interruption in addition there are the costs of responding to a data breach which could require cost of forensic investigation remediation recreation of data and as well as the retention of outside consultants such as public relations firms outside counsel and forensic investigators as well as the cost to notify any individuals whose information may have been impacted by the breach as well as offering credit monitoring or insurance in addition to the exposure that any entity that suffers a data breach may face in the event of a payment card data breach there is also the risk of fines fees and assessments imposed by the card brands the fines are imposed with

Financial consequences specific to PCI data breaches

respect to the alleged non-compliance with the PCI DSS the fees are imposed with respect to cost that the card brand allegedly incurs in responding to and investigating a data incident but the most significant portion are the issue or reimbursement assessments for fraud losses and operating expense losses that issuers allegedly incur in reimbursing card holders and reissuing cards in our experience the fines and fees range from the tens of thousands to hundreds of thousands of dollars in exposure whereas the assessments range from the millions to tens of millions in significant breaches the assessments are based on the number of cards alleged to have been exposed as a part of a breach the best thing that entity can do in order to defend against fines and assessments from the card brands is before they are even imposed bringing outside counsel in order to assist in mounting a defense counsel along with the assistance of an outside forensic investigator can work to ensure that the investigation conducted by the card brands is accurate both in terms of the facts of the breach as well as the compliance status of the entity with the PCI DSS in addition counsel can advise on how to effectively dialogue with the card brands in order to minimize the potential for fines and assessments once the fines and assessments are imposed there are limited options it is possible to appeal them but the appeal is determined by the card brand that issued the fine and assessment itself the only other option once they once the assessment has been imposed and appeal options have been exhausted is to commence litigation either against the acquirer under the contract with the merchant or against the card brand itself up till now we've been talking about losses associated with a data breach but merchants face potential losses from fraud every day traditionally counterfeit fraud on cards was the responsibility of the issuer not the merchant but in October 2015 the card brands changed the rules with respect to payment cards issued with chips enabled in the card in the event that one of those cards is counterfeited and accepted at a merchant that does not use EMV chip technology readers the merchant not the issuer will be responsible for any fraud on those cards well there are three things that an entity can do to reduce the potential of experiencing a payment card breach the first is to have a robust information security program in place headed by an individual and Department specifically tasked with maintaining information security the second is to conduct appropriate outside assessments of your payment card security this should include not only penetration testing and vulnerability scans but also bringing in an outside Assessor known as a qualified security Assessor in order to validate compliance with PCI DSS and following up on all of those recommendations from all of those outside Assessors finally having an incident response plan in place in order to respond to the potential incident can help reduce potential exposure insurance can help mitigate the financial exposure of a data breach including not only the costs of retaining outside counsel and vendors to respond to a data breach but also potentially for fines fees and assessments that a card brand may impose as well as the cost of defending litigation and regulatory investigations you during this session of the traveller

Common types of card-not-present transactions

cyber academy we have Illustrated payment card transactions in the context of a consumer physically presenting a payment card to a merchant this is called a card present transaction many forms of card not present transactions take place every day each of these card not present transactions can involve cardholder data that is potentially vulnerable to thieves and merchants payment processors and banks must adhere to the PCI data security standard with respect to the data from these types of transactions as well all businesses that accept payment card transactions or that process or store payment card information should adopt security conscious practices and procedures for example companies should store payment card information only when there is a legitimate business need to do so in fact the PCI data security standard requires companies to keep cardholder data storage to a minimum by implementing appropriate data retention and disposal policies procedures and processes businesses should also adopt stronger security controls and technology such as encryption and tokenization consistent with the needs and resources of the business it is also important for businesses to test and validate their computer and network security by working with outside experts such as qualified security Assessors not only will this help to improve a business's cyber security it can also help to reduce a business's exposure to PCI penalties in the event of a data breach finally businesses should consider obtaining cyber insurance which can provide coverage or defray the cost of a data breach including PCI fines fees and assessments thank you very much for your time today we hope you enjoyed this session of the travelers cyber Academy on payment card security and understand better how important it is for businesses to be prepared if you have any further questions please contact us ed trv cyber at EMS travelers comm for replay of this session to share with your colleagues or to find additional resources on this topic please visit travelers comm forward slash cyber advantage

Introduction

welcome to the travelers cyber Academy a webinar series on cybersecurity and cyber risk management our topic for today ransomware there are many kinds of cybercrime that can impact businesses both large and small ransomware is one of the more modern and prevalent types of cybercrime now we see today as you probably know ransomware locks or encrypts the files on a computer or the computer itself in order to recover access to the files the owner must pay a ransom most often using electronic currency known as Bitcoin in this 

Agenda

session of travellers cyber Academy we will look at how ransomware works and how it spreads we'll hear from curt Ostreicher the director of digital forensics at travelers who is part of a team that examined cryptolocker a well-known form of ransomware in 2013 we will also explain what bitcoins are ransomware became much more common after the advent of bitcoins which provide an easy and anonymous way for criminals to obtain payment from victims of ransomware when a business is infected with ransomware the consequences often go beyond simply paying a ransom Christine Mapes is a senior claim specialist at travelers who has handled numerous ransomware claims and she will describe the actual consequences when a business is infected with ransomware finally we will cover important steps that a business can take to protect itself from ransomware demanding ransom for the safe return of a person earthing is not new of course Julius Caesar for example was ransomed after he was captured by pirates in the Mediterranean in the digital world ransomware started 

Ransomware

out as a con in which banners would be displayed on a victim's computer stating that the computer had been infected with spyware or other malicious software the victim was asked to pay money to remove this by where or to install antivirus software but the victims computer and computer files were essentially unharmed in 2012 a form of ransomware known as Matan gained notoriety when it locked victims out of their computer systems Revit on displayed a banner customized for different countries stating that the victim had been caught by police while committing a crime such as viewing child pornography the victim was instructed to pay a law enforcement fine of several hundred dollars to unlock the computer although the computer was in fact locked there were ways to bypass Revit on and to access the computer and the files on the computer without too much difficulty in the fall of 2013 the infamous ransomware known as cryptolocker appeared cryptolocker was a game changer in two ways first it encrypted the files on victim computers so that even a trained forensic examiner would be unable to recover data from the computer's hard drives without paying for the decryption key second cryptolocker required that payment of the ransom be made through anonymous methods such as Bitcoin ransomware also began appearing on mobile phones and devices starting with ransomware that would lock out a phone or device and then progressing to ransomware that would encrypt the contents of the phone or device cryptolocker success spurred the development of many new ransomware variants such as torn Locker alpha crypt crypto wall Tesla crypt locky and others modern ransomware is designed to maximise the consequences to the victim into force payment of the ransom some ransomware is even designed to steal from the Bitcoin wallet that is used to pay the ransom in 2013 the travelers began receiving a number of claims related to cryptolocker its investigation of cryptolocker was led by kurt Ostreicher who is now a director of digital forensics 

Digital Forensic Lab

welcome to the trailers digital forensics lab the lab was designed with the intention of being able to process the digital evidence that comes into trailers in the form of reclaim investigations internal matters and also looking at the general cybersecurity threats that are out there some of the forms of digital evidence that we see here are travelers come from the form of cell phones hard drives computer systems themselves social media the emerging Internet of Things video and the greater cyber threats to both trailers and to our customers one of the core components of the digital forensics lab is the malware firing range the malware firing range is an isolated Network and set of computers and servers that allow us to do advanced malware research in support of cyber threats that allows us to take a deeper dive and really see what the particular strain of malware is doing how is it infecting a system what does it do once it's on the system what types of data are being exfiltrated and passed on to the attacker ransomware is a form of malware that infects a system and then immediately looks to try to encrypt the critical contents on a user's hard drive once the encryption is complete the user is typically presented with a splash screen on the desktop that demand some form of ransom typically in some form of virtual currencies such as Bitcoin in 2013 we saw a cryptolocker at form of ransomware emerge on the scene and we recognize right away that this was a new and emerging threat it was just going to be the beginning of multiple strains the ransomware that would soon follow so when we took it real close look at cryptolocker to find out how did it infect the systems what did it do to the systems itself destroying the hardware was as simply a software layer where it was encrypting files was anyday to being exfiltrated and so on and that was really important to us for our claims investigations and also to pay us on to educate our customers on what is the best way to respond to a cryptolocker infection Isana sheet furniture is a fictitious website that we developed in house here at trailers in order to provide a means to better educate our customers on some of the greater cyber risks today we're going to take a look at how an attacker will use the vulnerability and the astonishing furniture's ad network to pass the ransomware through astonishing furniture and onto their victim through what's known as a watering hole attack let's take a closer look one of the modern ways that ransomware is spread begins with the poisoning of internet affiliate advertising networks this is a fictitious web site for a store called astonishing furniture like many retailers astonishing furniture displays advertisements on its internet site these ads were not created by astonishing furniture instead astonishing furniture would be paid a fee to allow an affiliate network to place ads on its website ads which are expected to be and usually are legitimate in some cases cyber criminals are able to infiltrate the affiliate network and place a malicious ad as a result many visitors to the astonishing furniture web site will be infected by the ad even though the computers and the web server of astonishing furniture have not themselves been compromised in fact visitors can be infected even if they do not click on the malicious ad this kind of attack is sometimes described as a watering hole attack because visitors to the website are caught like prey coming to a watering hole 

Bot Master

generally the victims of a watering hole attack are not immediately infected with ransomware instead they're infected with malicious software that makes them part of a botnet together with hundreds of thousands of other similarly compromised computers the computers in the botnet are effectively under the control of a single criminal or group who is known as the bot master or bot herder the bomb master can obtain direct access to the computers in the botnet by using a remote access trojan or rat the bob master can also use the computers in the botnet to send spam or to conduct denial of service attacks finally the BOP master can install ransomware on any or all of the computers in the botnet cryptolocker for example was often distributed through the GAMEOVER Zeus botnet ransomware is one of the easiest ways for cyber criminals to get cash from a compromised computer unlike credit card fraud there is no need to make a counterfeit card and withdraw money from an ATM or to deal with other criminals by trafficking and stolen payment card information according to

What Happens

the US government more than 4000 ransomware attacks have occurred each day this year exactly what happens when ransomware is installed on a computer here is a mock screenshot of a victims computer showing what would happen if the computer was infected by the locky ransomware the files would be encrypted and the filenames would be changed leaving behind nothing but gibberish the instructions for recovering the encrypted files are provided in locky instructions dot txt which instructs the victim to access the dark web in order to obtain a private key and a decryption program more information about the dark web was provided in an earlier session of the traveller cyber academy the dark side of the internet which is available for viewing at travellers calm cyber advantage upon accessing the specified site on the dark web the victim will be in structured to create a Bitcoin wallet and to pay 0.5 bitcoins in order to obtain the locky decrypter so what are bitcoins and why are they the payment method of choice for modern cyber criminals bitcoins are a method of 

Bitcoins

electronic payment devised by an unknown individual in 2009 unlike u.s. dollars in other familiar forms of currency bitcoins are not backed by any government they are entirely a peer-to-peer payment method we'll see what that means shortly in order to use bitcoins businesses or individuals create digital wallets these wallets are used to store bitcoins and track Bitcoin transactions which can be conducted anonymously through the use of digital signatures the ability to conduct anonymous financial transactions without any government oversight is the reason why bitcoins have become the payment method of choice for criminals conducting ransomware attacks for the most part the coins are obtained through online sites known as Bitcoin exchanges or they are bought and sold like any other commodity like other commodities the value of Bitcoin fluctuates over time as shown here over the past five years as of October 2016 one bitcoin is worth approximately 600 u.s. dollars if there is no central bank issuing bitcoins where do they come from in short new bitcoins are issued according to the peer-to-peer protocol that was established when bitcoins were created in 2009 the protocol specifies that every Bitcoin transaction every single Bitcoin transaction conducted since 2009 is stored in a shared public record known as the Bitcoin blockchain a simple transaction for example might involve somebody using digital signature a making a payment of one Bitcoin to somebody using digital signature B groups of Bitcoin transactions are combined into a single block and the block is linked to the prior block by including a digital fingerprint of the earlier block the entire process connects every Bitcoin transaction to every other Bitcoin transaction ever conducted in a way that ensures bitcoins cannot be forged counterfeited or spent more than once the process of packaging and encoding each block of transactions is time-consuming and computationally intensive so the Bitcoin protocol Awards a defined number of bitcoins to each individual or group of individuals who successfully add a new block of transactions to the blockchain this process known as Bitcoin mining is how new bitcoins are created understanding 

Understanding how the ransom is paid

how the ransom is paid however is sometimes the easy question the harder question for a business that does not have an adequate response and recovery plan may be deciding whether the ransom should be paid many authorities including the FBI have identified serious risks that should be considered before paying the ransom criminals may not actually provide a way to recover the lost files and payment of the ransom may cause the business to be targeted again in the future furthermore ransom payments fund and encourage illegal activity the decision of whether to pay the ransom should only be made after consulting with an experienced attorney such as a breach coach that can be made available through the victims insurance company as a specialist in cyber claims at the travelers Christine Mapes knows very well that there can be other consequences to a business that has been infected with ransomware beyond just paying the ransom demand 

What should I do

that travelers we've seen ransomware claims more than double in 2016 the first question that they ask is what should I do should I pay the ransom or should I restore from backups or find some other means of getting our data back and they're also concerned about making sure that their operations are back up and running in a timely manner they also want to know what they can do to prevent this incident from happening again given that ransom as arguably the most profitable malware on the market I think that it will continue to become more sophisticated and widespread I think because it's so profitable the attackers are gonna find new methods of entry through back doors and system vulnerabilities that are going to make the ransomware harder to detect and therefore more profitable and lucrative for pretty attackers they do not discriminate so they can hit organizations both large and small as well as individual users many times the breach isn't limited to just extortion and depending on the type of brand somewhere I attack an additional forensic investigation may be necessary to determine whether or not there was access or unauthorized access to identity information our claims response team here at travelers assists our insurance every step of the way we partner with our experts and resources to provide them with an appropriate an immediate incident response plan and work towards a fast resolution in its 

What is ransomware

current state ransomware is a commodity malware threat hackers are indiscriminately trying to target anyone in everyone they can in the hopes of catching victims off-guard who may not have effective backup strategies as we look to the future targeted ransomware could become an even scarier proposition if hackers are able to successfully breach a sensitive environment such as a key system involved in e-commerce the value of that asset could allow very expensive ransom demands to be made and to be paid 

How to protect yourself

fortunately there are several ways for business to protect itself that not become a target of opportunity for ransomware an effective data backup strategy includes offline and off-site data redundancy and it must be current and well tested organizations have a variety of sensitive data the most sensitive information things that business is required to operate should be isolated from less business critical sections of the network and more safeguarded a business continuity plan should be in place and frequently tested employee education programs should be used to make users aware of phishing and Malware and make it easier for employees to know whom to call when they suspect an anomaly on their network finally businesses should prepare an incident response plan in case of compromised and in case of breach were to happen have proper insurance in place thank you very much for your time today 

Conclusion

we hope you enjoyed this session of the traveler cyber Academy on ransomware and understand better how important it is for your business to be prepared if you have any further questions please contact us at TRB cyber at ems travelers calm for a replay of this session to share with your colleagues or to find additional resources on this topic please visit travelers comm backslash cyber Advantage  

[Music]

welcome to the travelers cyber Academy a webinar series on cybersecurity and cyber risk management in today's environment companies must be prepared to respond to cyber incidents so that they can prevent them if possible from becoming full-scale data breaches today's session of the travelers cyber Academy will focus on what happens after an incident whom company should call and what companies should do during this webinar we will hear from three experienced breach coaches attorneys Eadie Finn and Jennifer Coughlin of Mullen Coughlin an attorney Dominic Pelosi of McDonald Hopkins Eadie will be featured in a simulated breach call involving a fictitious furniture store in order to help illustrate what companies should do following a cyber incident DOM and Jennifer will share with us their expertise in helping businesses handle cyber incidents and data breaches including when outside professionals like digital forensic investigators may need to be brought in Dom and Jennifer will also talk about the legal consequences of a data breach such as notification requirements under state privacy laws DOM and Jennifer will also describe important steps that a business can take to help prevent a cyber incident from turning into a data breach interconnectivity and data sharing between businesses and individuals has exploded in an age when there is exponentially more data than was previously available businesses hold many kinds of data data that can exist in different forms whether physical or electronic that data can be protected under federal law state law or both for example employee files contain personally identifiable information also known as PII it may also contain medical and healthcare information known as pH I businesses may also have contractual obligations to protect certain kinds of data such as payment card information or PCI a failure to protect that information can lead to lawsuits from impacted companies or persons a business can also be subject to legal and regulatory investigations as well as fines and penalties if the information is compromised in short a business cannot afford not to care about preventing data breaches according to a recent study by the Panama Institute the average cost of a data breach that required notification under state law has risen to over seven million dollars or two hundred and twenty one dollars per compromised record this included costs related to business disruption revenue loss equipment damages legal fees public relations expenses and forensic analysis as well as cost to comply with the data breach notification laws of 47 different states handling a cyber related incident or data breach can be daunting and expensive the response effort can require legal assistance to coordinate the investigation to determine what laws may apply and to develop notifications materials that comply with those laws forensics expertise to determine the source and scope of a breach and to identify the persons whose information was compromised credit monitoring and or identity theft monitoring for victims of a breach notifications as required by law which can include mailings as well as call center services to assist victims of a breach crisis control to minimize negative publicity loss of goodwill and damage to the reputation of a business and regulatory concerns to manage potential government claims or investigations that can follow on the heels of a data breach so what should a business do when a potential cyber incident has occurred as a traveler's insured it's not necessary to wait until a claim has been filed to begin working with a claim specialist if you have a question or think that a cyber incident may have occurred contact us we will walk through the situation with you and determine if a claim needs to be filed and the resources that may be needed to specifically address your situation a breach coach will be assigned for immediate assistance a breach coach is a data security data privacy attorney that specializes in responding to cyber incidents and data breaches a breach coach is an important part of responding to a potential cyber incident involving your business your she can lead the investigation and determine what if any legal obligations your business may have as a result of the event the travelers claim specialist your breach coach and you will discuss in triage the situation this will quickly and effectively determine if computer forensics professionals are needed and help start your business on the path to recovery travelers partners with industry leading vendors when needed to provide a complete and thorough incident response this network of vendors provides discounted rates to our insureds which can greatly reduce the overall cost of an investigation throughout the process you will have direct and regular contact with your claims specialist and your breach coach to keep you informed about the investigation of the incident and the progress of your claim by working closely with you and your breach coach we help you respond effectively to the incident and to get your business back to its normal operations let's listen to how this would work in a simulated breach call in this scenario a fictitious company called astonishing furniture designs markets and sells high-end modern furniture to customers around the country Kevin the CEO has called travelers to report an incident and now a traveler's claims specialist is calling him back good morning astonishing furniture this is Kevin hi Kevin Linda from travelers I understand that you had an incident happen did you tell me a little bit about what occurred yes ma'am thank you so much for getting back to me this quickly we had a problem this morning with our IT department they were installing software or upgrading software but in any event they wanted one of those viruses that locked up my whole system and now basically my operations are shut down and I pay something called Bitcoin and quite frankly I'm not sure what that is I'm so sorry that you're having to deal with this their summer policy provides you with the free consultation with the breach coach which is a data privacy lawyer that handles these types of situations let's see if we can get them on the line so we can figure out the next steps from here does that sound that sounds fantastic great and are you there yes I am good morning with us we have kelan on the line and he had an incident that came up good morning Kevin my name is Edward Finn I'm with the law firm of Malin Coughlin we are one of the breach coaches for traveling church our job is to parachute in under your policy and quarterback your response to this incident now if you want to tell me a little bit about this incident I'll be in a position where I can recommend some next steps that sounds great I can't give you too many details other than my IT department told me this morning that while they were doing a software installation or a software upgrade we wound up with a virus that is essentially locked down my whole system so I have no access to any files including my employee files my customer files you know I've got design plans and specifications out there and it's all locked up I can't get to it until I say something that they're telling me 30 of these bitcoins and at this point in time you know my biggest concern is I can't do my business and I don't know how to go about getting this thing unlock and getting a Bitcoin as far as the files you have and fully files design files those contain sensitive information like Social Security numbers credit card information anything like that they would have all kinds of personal information about my employees obviously but on the customer side we do a lot of online business and so we do take credit cards and information like that about our customers that are all stored on our on our network somewhere okay so based on what I'm hearing it sounds like you're dealing with a ransomware incident which is unfortunate and many companies have been hit with this over the past year what we would do is recommend you bring in a traveler's proof forensic investigator we would engage them on your behalf from sure the investigation is privileged they can help you restore your they can help you purchase the Decrypter key with bitcoin if necessary and they will be able to tell us whether any sensitive information was affected so that we can give you some legal advice that sounds like a plan sounds great if they can come in and get me back working and certainly Kevin we would work with you along the process in order to make sure that we're in compliance with your policy and I guess if I have any questions about this one's am i coming to you on that both Edie and I will be in contact with you throughout the entire process okay if you guys can get this taken care of I can have anybody available this afternoon to have another call with one of those friends because that you talked about great that sounds good we will reach out to them right now I set up a call and I'll send you over our contact information and our engagement letter perfect thank you both for jumping on this so quickly we'll be in touch shortly thanks everyone within hours of forensic firm was retained to conduct the investigation the investigation revealed that the ransomware was sophisticated enough that it not only encrypted business-critical files but also exfiltrated personally identifiable information and payment card information belonging to the customers and employees of astonishing furniture the breach coach recommended that notifications be sent pursuant to each state statute and that a mail center and call center be set up to handle the notification process in any resulting injuries one year of free credit monitoring was offered to all of the impacted individuals in this scenario based on the net diligence data breach cost calculator the cost of the data breach could well have exceeded two million dollars now let's hear first-hand from to experience breach coaches as they describe how they help businesses respond effectively when a cyber incident occurs a rich coach is also an attorney and privacy attorneys we focus on helping organizations do very proactive pre-planning pre breach response most the time though breach coach is actually focused on incident response so we will be the first line of communication often triaging that situation we get on a call 24/7 with the client they're finding out okay here's what we know here's what we don't know here we have an incident or we have a breach and we really help sort of quarterback that whole process as breach coaches breach coach also knows the right vendors that are needed to investigate and respond an event appropriately it could be working with law enforcement working with forensic investigators public relations credit monitoring vendors notice vendors and call center vendors a breach coach knows who to call who can ramp up as soon as possible and who can provide the best services to an organization that is usually working under a very short timeline to get through an investigation and disclose an event to outside parties we have the experience we see the trends and of course in this space it's so important to realize those trends the latest threats that are out there oftentimes we'll have lots of organizations and clients come to us with a very similar situation in a week or two week time period so we can quickly identify that yeah we've seen that type of ransomware we've seen this threat we know the characteristics of it so with that experience we're able to sort of leverage that and offer that to our clients that hey we know exactly what to do an organization should reach out to a breach coach as soon as it believes that it may have been the victim or experienced some sort of data privacy event it could be somebody sending information to the wrong recipient it could be the theft of a harddrive a laptop going missing it could be a ransomware infection on an organization systems it could be a hacker in the system actively exfiltrating data as soon as an organization feels it may have a data privacy event on its hands it's best served to call the breach coach right away but think it's important that your incident response team is trained to be calling that breach coach pretty quickly certainly we want to give notice to carrier and broker respectively and then we can then bring in the various service providers so if we need a forensic provider to take a look and figure out if we actually have a data breach again the breach coach can engage that forensic provider on behalf of the insured when an organization reaches out to a breach coach it's going to be very early on so it's not going to have all the information that it may otherwise want to have when it's talking about the incident but to the extent that they know at that point what happened what information is at risk how it happened and whether the event is ongoing that would be very helpful so the extent and organization also has an incident response plan it would be very helpful for the organization to have that handy when they do get on the phone with the breach coach so that we can make sure the response plan is accurate is responsive to the incident and we can go through the steps outlined in the response plan to investigate the incident every events going to be different there's no cans breach response that you can utilize for every single incident but the services are going to be driven by the nature and scope of the data privacy event if you have an event that impacts the security of information systems or computerized data we're likely going to rely upon the assistance of third party forensic investigators and they would work not to replace the internal IT investigation that's happening but they would work with the internal IT team to help us determine what happened whether or not it's still happening how it happened and what information is at risk we don't want to be using an IT firm a firm that you know client uses to connect their system handle their day-to-day sort of IT operations we really want to use firms that focus only on breach response and forensic analysis because those types of firms that we work with day-in day-out nationally recognized but they know exactly the type of analysis that needs to be done to be able to provide to the breach coach so that the breach coach can give that appropriate opinion as to whether or not we have notification obligations or not we may also utilize the services of a credit or identity monitoring services provider there are some laws out there that require those services to impacted individuals but even if there is a legal obligation to offer those types of services people have come to expect those services to be offered and it matters where you're doing a large disclosure where you have to mail a lot of letters out and you may receive a lot of inquiries you're going to want to rely on the services of a vendor that provides a mailing service and a call center service so that the organization having the incident isn't mailing letters and continuing to run their daily business and then responding to inquiries they have the ability to reduce the number of enquiries that they're going to have to handle and instead funnel them towards an outside call center and we provide these scripts to the call center representatives to use in responding to questions so that the messaging regarding the event is consistent and accurate no matter who's giving the message finally a crisis communication firm that we would be able to utilize and leverage these aren't PR firms PR firms get us to the top of that Google hit list we want to use a crisis communication firm or firm that is used to data breach response not every situation needs a crisis communication firm but again based on the high-profile nature of it perhaps the type of information or the the organization type or the actual audience that's going to be getting a letter that may dictate whether we need a crisis communication firm or not typically there's three phases to an incident response the first phase is going to be the investigation the second phase is going to be the actual disclosure and the third phase is going to be defense as part of the investigation phase it starts with the very first call that we have with the organization where we try and determine what happened what information is at risk and what needs to be investigated to put a box around the event at that point we'll determine whether or not we need to bring in third-party forensic investigators to help us identify what happened confirm it's no longer ongoing determine how it happened and what steps need to be taken to remediate the issue that caused the event to occur and with that information we can then move into the disclosure phase that's when we're bringing in the notification and call center vendors the breach coaches drafting all of the appropriate notifications the letters that would go to affected individuals to regulators that need may need to be notified media notices frequently asked questions all of that is sort of in that drafting notification and response stage we're then using notification vendor and call center vendor to really execute that phase after notifications go out unfortunately we're not done we usually get a knock on the door sometimes physically and literally or via paper in a data request from a regulator that says hey you notified us about a situation or we found out about your breach we want a little more information sometimes we had a lot more information sometimes they do want to come in person and do an audit speak to folks on the incident response team and other employees within the organization and so we will help organizations respond to those regulators and the key there of course when you utilize breach coaches that have the day-to-day experience they're going to be working with these regulators on a very frequently frequent basis and so they will leverage that sort of knowledge experience working with those regulators we know exactly the type of information they need how they want it and how exactly to present the situation the best light for the insured a company may be facing an obligation to disclose this incident under state law under federal law and oftentimes under international law as well on the state law side the obligations an organization will have to disclose this event out will be driven by the laws of the states of residence of the individuals whose information may be at risk as a result of the event so if you have an organization that's based in Connecticut but you have data relating to people that live throughout the country you're going to be looking at the laws of all of those states and not only the law of Connecticut to help you determine who needs to receive notice of the event what the notice should or should not say when the notice should be provided and whether or not any services or information should be provided to the individual after breach notifications go out to impacted individuals almost half of the states now of those 47 of the 50 state breach notification laws those states about half of them will require that we give notice to their various state attorneys general office of cyber security office of consumer protection state police offices either concurrently with the notice to the residents or sometimes a few days before they want a heads-up the biggest thing with the regulator's we want to have a concise an organized response and really drill home as to what we're doing to try and prevent this situation from happening again we want to always look at our contractual obligation so one of the first things we say on that initial call what contracts do you have out there that could be in play that could have notification provisions in them so with potential vendors with various stakeholders various contracts that you have out there it's amazing how many of them have a notification provision when there's a potential compromise of data from the payment card industry data security standards they're going to be contractually obligated to give notice to merchant service providers acquiring banks the card brands so when card are potentially at issue Visa Mastercard Amex discover they're going to have very specific contractual notice obligations if an organization doesn't comply with its legal obligations to investigate and report out a data privacy event it may be facing a loss of business it may be facing reputational brand damage it may be facing in raise and litigation from individuals and regulators and it may be facing fines and penalties from organizational bodies an organization can reduce cyber risk by taking several different steps they should identify what data they have where it is stored who has access to it whether or not they need to have it in the first place they should also ensure the data is appropriately secured and test the security of the data on a regular basis we want to have the right policies and procedures in place - and these aren't just policies and procedures that we draft and put on the Shelf in a binder and dust off every couple of years of course these are the policies procedures that the regulators are going to be requesting so we want to make sure we have them in place but that we're actually implementing everything we're saying we're doing an organization should focus heavily on educating their employees on data security and privacy of their customers patients and internal data that they have in their possession and control an organization should also prepare an incident response plan and identify who within the organization is going to be involved in receiving the notice of a potential data event and undertaking all the steps that are necessary to reach out to their cyber insurance carrier and get in touch with the breach coach and take the appropriate steps to comply with the legal obligations that they have when all else fails we want to make sure that we have proper cyber insurance both first party and third party so that first party we want to make sure that we're going to be covering up reach coach a forensic provider notification and call center crisis communication and credit monitoring but then we also want to make sure we have third party coverage so that client needs to be protected from the regulatory enforcement actions the single plaintiff and class-action litigation as well so both first party and third party cyber coverage [Music] thank you very much for your time today we hope you enjoyed this session of the traveller cyber Academy if you have any further questions please contact us at trv cyber at ems travelers calm for a replay of this session to share with your colleagues or to find additional resources on this topic please visit travellers comm forward slash cyber advantage you