Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Cyber Incidents & Impact on Business

No description
by

Neil Hare-Brown

on 12 July 2012

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Cyber Incidents & Impact on Business

Cyber Incidents &
Impact on Business Agenda A Bit about... Targetted Attacks Data Breach Incidents Formed 1996: Computer Crime Unit & Banking CISO
Largest DF Labs in Central London
#1 DF provider to the Met Police
Computers, Mobile Devices, Cellsite
Predictive Analytics
Average 40 cases per month 4 Business Areas
Incident Response
Digital Investigations
Blackthorn GRC
GRC Training Scale of the Problem Impact on Business RSA Targeted attack (poss state sponsored) using malware hidden in spreadsheets attached to emails sent to RSA staff entitled "2011 Recruitment Plan". Thieves mounted an APT attack and downloaded serial numbers and seed codes Hackers then used credentials to attack systems at RSA customer, Lockheed Martin RSA parent, EMC revealed 18% drop in margins on RSA business due to costs directly related to attack. Global Payment Systems 1.5m credit card data records stolen. Unclear as to whether further personal data was breached. Dropped from Visa & Mastercard compliant providers registry Investigation:
Hackers owned the web servers
Forensics showed breaches from June 2011
Dominican street gangs from in and around New York involved Secondary Losses:
Law Firm Robbins Umeda may sue officers for breach of fiduciary duty
Share price dropped 11% since breach August 2011: Baxter, Baker, Sidle, Conn & Jones loss of PHI.
E&Y - January 2012 - loss of client data: Regions financial inc.
PwC - April 2012 - loss of PII from client, Under Armor - names, SSN & salary data Unencrypted flash drive lost in the post and... 5,400 client employees offered Credit Monitoring Primary Loss Time in Response
Expertise
Initial Loss - Productivity Secondary Loss Fines
Legal Costs
Reputation
Lost Clients & Business Don't rely purely on...
Anti Virus
Firewalls
Other mitigating controls Plan Plan Plan! Plan for incidents
Engage with reputable specialists to review your readiness
At least... ...Know who to call when something goes wrong ;-) #2 #1 #3 and then... When it comes to effective incident response most organisations are... A Question of Risk Of the 4 risk treatment methods we tend to use only risk mitigation and risk acceptance in security. Remember:
Risk Transfer is also a viable option The best advice though... Thank you for your valuable time! neilhb@qccis.com Data Sources are becoming more reliable Many compromises with simple solutions
Nearly all PCI breach victims were non-compliant Some Stats Obvious targets
Payment data
Other PII inc. Healthcare
R&D information What can you do? "How do we get out of here?" In the Dark Costs of re-distribution approx $50m Significant loss though to customers who absorb the bill for the internal Bank response and re-distribution costs Advanced Persistent Threat Targetted Attacks
Scale of the Problem
What to do Professional Services Firms Mainly in US 2011: 855 breaches, 174m records compromised
large % of data theft by activist groups
long discovery times (weeks to years)
high % of discovery by third parties
2012: 500+ reported breaches to-date
ITRC alone reports 189 breaches, 13.5m records compromised
42% of law firms don't monitor for data breaches Identify your 'data crown jewels'
Get tough on non-compliance
Identify all practical ways of managing risk One stop shop 24x7x365
Forensic Analysts
Legal
PR
Investigators
Planning Guides
Secure Claims/Case Management System Thought on Home Insurance! Codes accessible via Internet?? Encrypted flash drive lost in post ... ...along with the crypto codes!! 27,000 PII records lost or stolen
SSNs & sensitive financial data BBSC&J employee lost hard drive containing network backups that included medical records of 161 patients at Mercy Medical Centre. drive lost on Baltimore light rail
MMC compensates patients for cost of monitoring and sues BBSC&J
Full transcript