1 / 23

Disaster Recovery and Incident Response

Disaster Recovery and Incident Response. IT, Privacy, and eCommerce (ITPEC) Network Association of Corporate Counsel (ACC). 11 July 2019. Disaster Recovery and Incident Response. GDPR bares its fangs. Disaster Recovery and Incident Response. British Airways – 8 July 2019.

morehouse
Download Presentation

Disaster Recovery and Incident Response

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Disaster Recovery and Incident Response IT, Privacy, and eCommerce (ITPEC) Network Association of Corporate Counsel (ACC) 11 July 2019

  2. Disaster Recovery and Incident Response GDPR bares its fangs

  3. Disaster Recovery and Incident Response British Airways – 8 July 2019 Notice of intention to fine British Airways £183.39m (~$230 million) under GDPR for data breach (1.5% of turnover of worldwide turnover last year according to media reports) This incident in part involved user traffic to the BA website being diverted to a fraudulent site The data of 500,000 customers was harvested by cyber attackers Data compromised includes name, address, log in, payment card, travel & booking details ICO: “Poor security arrangements at the company” ICO to consider the representations made by the company and the other concerned data protection authorities before reaching a final decision (ICO is lead supervisory authority) Elizabeth Denham: “when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights‘”

  4. Disaster Recovery and Incident Response Marriott International – 9 July 2019 Notice of its intention to fine Marriott International £99.2 million (~$123 million) under GDPR for data breach Systems of Starwood hotels group were allegedly compromised in 2014, Marriott acquired Starwood in 2016 and the cyber incident was notified to the ICO by Marriott in November 2018 Personal data contained in approximately 339 million guest records globally were exposed by the incident (30 million related to EU residents, of which 7 million related to UK residents) ICO: “Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems” ICO to consider the representations made by the company and the other concerned data protection authorities before reaching a final decision (ICO is lead supervisory authority) Elizabeth Denham: “The GDPR makes it clear that organisations must be accountable ... This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

  5. Disaster Recovery and Incident Response Disasters happen…

  6. Disaster Recovery and Incident Response Some examples of costs due to a cyber-incident

  7. Disaster Recovery and Incident Response Advanced Persistent Threat (APT) “Carbanak Source: https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf

  8. Disaster Recovery and Incident Response Why incident response management matters Helps manage and respond to unexpected and disruptive events which may affect the organization Being prepares helps to ensure a more effective response and minimizes the impact and the disruption of the event Incidents can take all shapes and sizes: they can be the result of human error, but also accidents, insider threats, industrial espionage and attacks from cybercriminals According to an IBM survey published in March 2019, companies on average take about 197 days to identify a breach and 69 days to contain a breach SEC (2014): “boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril”

  9. Disaster Recovery and Incident Response Quick overview of some legal requirements GDPR: notification “without undue delay and, where feasible, not later than 72 hours after having become aware of it”. GDPR also requires companies to document any personal data breaches, including the facts relating to the personal data breach, its effects and the remedial action taken. Directive on security of network and information systems (NIS Directive) covers the security of network and information systems and digital data. The NIS Directive requires operators of essential services (OESs) and digital service providers (DSPs) to have in place, among other requirements: • incident detection processes and procedures; • processes and policies on incident reporting; • incident response; incident assessment. • Effective incident reporting mechanisms, including systems to record and report incidents within 72 hours of detection • Response and recovery plans The clock starts ticking after breach discovery (only 72 hours)!

  10. Disaster Recovery and Incident Response Breach

  11. Disaster Recovery and Incident Response Security Incident & Personal Data Breach Security Incident vs. Personal Data Breach All personal data breaches are security incidents but not all security incidents are necessarily personal data breaches What is a Personal Data Breach? “Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” [Article 4 (12) of the GDPR]

  12. Disaster Recovery and Incident Response The technical side

  13. Disaster Recovery and Incident Response What is an incident? An incident is any event that has negative effect on the confidentiality, integrity, or availability of an organization’s assets. “Security Incident” is more specific (NIST SP 800-61) IR vs. DR - Indecent Response tends to be minor, while Disaster Recovery is major DFIR – Digital Forensics and Incident Response specialists comb through computers, hard drives, logs, etc. to determine what happened, when, and by whom. CIRT or CSRT – Computer Incident Response Team SOC – Security Operation Center IDS – Intrusion Detection System SEIM – Security Event Information Management system The technical side

  14. Disaster Recovery and Incident Response Types of Personal Data Breaches “Confidentiality Breach” – where there is an unauthorized or accidental disclosure of, or access to, personal data “Integrity Breach” – where there is an unauthorized or accidental alteration of personal data “Availability Breach” – where there is an accidental or unauthorized loss of access to, or destruction of, personal data Note: A security incident resulting in personal data being made unavailable for a period of time is also a type of data breach, as the lack of access to the data can have significant impact on the rights and freedoms of individuals Exception – planned system maintenance

  15. Disaster Recovery and Incident Response Prevention: Security Measures Companies should take appropriate technical and organizational measures in order to ensure protection of the personal data appropriate to the risk posed to the personal data being processed (e.g. accidental or unlawful destruction, unauthorized disclosure, or access to personal data). For example: Pseudonymisation and encryption of personal data Ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services Ability to restore the availability and access to personal data in a timely manner in the event of a technical of physical incident Regularly testing, assessing and evaluating the effectiveness of the security measures Appropriate training of the personnel All appropriate technological and organizational measures shall be in place to establish immediately of a personal data breach has occurred and to inform the supervisory authority and the individuals (if applicable).

  16. Disaster Recovery and Incident Response Prevention: Data Protection Impact Assessment Companies should plan in advance and put in place appropriate mechanisms to be able to prevent, detect and handle a personal data breach, to assess the risk to the individuals and to determine whether it is necessary to notify the competent supervisory authorities and communicate the personal data breach to the individuals. The Data Protection Impact Assessment (DPIA) is a monitoring and review requirement, which is used by the companies if their processing operations are likely to result in a high risk to the rights and freedoms of the individuals. The DPIA should contain at least the following: • Description of the processing operations; • Purposes of processing; • Assessment of the necessity and proportionality of the processing operations in relation to the purposes; • Assessment of the risks to the rights and freedoms of the individuals, and • Measures taken to assess the risks, including security measures to ensure the protection of personal data

  17. Disaster Recovery and Incident Response Preventing incidents: “an ounce of prevention is worth a pound of cure” Cyber hygiene & education – people are the weakest link... Malware/attacks are like vampires: they generally must be invited in (credential management & phishing) Patch management – Update all software! Most exploits occur months or even years after vulnerability has been discovered and patched Backup – most important perquisite for IR/DR (and other practical reasons) Logging – turn on most detailed logging on every machine, for every application, both locally and to write-only logging server. This is important for detection and invaluable during digital forensics portion of incidence response

  18. Disaster Recovery and Incident Response Disaster Recovery Disaster recovery ensures business continuity. A data backup is not sufficient precaution in the event of a disaster • A backup is a copy of your data; a disaster recovery plan is insurance that guarantees its recovery - all aspects of the current environment should be considered, including physical resources, software, connectivity and security A disaster recovery plan includes a recovery point objective (RPO) and recovery time objective (RTO) • RPO states the frequency of data backups that the organization requires, whereas the RTO determines the maximum amount of downtime that the organization can handle Disaster recovery involves a determination of which systems are considered mission critical, creating a recovery order and communication process, and testing Where a breach occurs involving the loss of encrypted data, even if a backup of the personal data exists this may still be a reportable breach, depending on the length of time taken to restore the data from that backup and the effect that lack of availability has on individuals.

  19. Disaster Recovery and Incident Response How to prepare Have a incident response (IR) plan which includes customer notification and support Ensure personnel have received IR training Identify your incident response team (IRT) – legal; PR; Info Sec; DPO? Contact cheat sheet Develop a communication plan in advance Consider all of the ways an incident may be detected (e.g. help desk, intrusion detection system, systems admin, network/security admin, staff, managers, or outside contact) and make sure there is a communication plan for each type Testing - E.g. roundtables Make legal privilege part of your IR strategy (separate IRT from lawyers + consider getting lawyers to hire forensics) 72 hours – clock starts ticking when there is a reasonable degree of certainty that an incident has occurred that has led to personal data being compromised.

  20. Disaster Recovery and Incident Response Occurrence: Documenting the Personal Data Breach The company responsible for the personal data (e.g. data controller) shall document (e.g. via internal register of breaches) any personal data breaches regardless of whether the personal data breach needs to be notified to the supervisory authority. The record must contain: • The facts (e.g. causes, what happened, type of personal data affected); • The effects and consequences; • The remedial action; • Reasoning for decisions taken in response to the personal data breach (recommended) The supervisory authority can request to see the records of the data controller. Avoid specifying personal data in the records because otherwise you need to take into consideration the storage limitation principle under the GDPR and assess appropriate retention period for storage of the records. Consider creating internal notification procedure and informing the employees for the existence of such procedures and that they know how to react in case of a personal data breach.

  21. Disaster Recovery and Incident Response Response: Incident Response Steps Detection – Antivirus, IDS, automated audit log scanning, IT/security team spot anomalies, users/customers. Obviously you want to detect earlier (and internally). Example: 2018 Bitdefender report on Carbanak attack on eastern European bank – took 55 days! Response – Computer Security Incidence Response Team (CSRT) assess damage and collect/preserve evidence Mitigation – limit effect & scope of incident (stop the bleeding.) e.g. physically disconnecting network cable Reporting – notifying senior management, fulfill legal reporting requirements (esp. PII) to law enforcement, data protection authorities, and/or customers/general public as necessary Recovery – one or more steps that may be as easy as: 1) reboot, 2) remove/quarantine malware, 3) recover & verify data from backup 4) fresh reinstall, configuration, and recover from backup 5) new hardware, clean install, configuration, recover from backup 6) new [hot/cold] site… (Disaster Recovery – Business Continuity Plan) Remediation – prevent exact or similar incident from happening again. Root Cause Analysis. (e.g. implement patch management system) Practically: change passwords, rotate certificates, etc. Lessons Learned – debrief, turn implicit knowledge gained in explicit knowledge, institute new policies

  22. Disaster Recovery and Incident Response Notification • The regulators will want a clear summary of the facts and the steps taken to safeguard data subjects • Most DPAs have online notification forms (and no they are not harmonized). They require specific information about the breach • Utilize the 72 hours to get your house in order! • GDPR sets out a minimum level of information (most forms ask for more): • Description of the nature of the breach • Categories and approx. number of affected individuals and records concerned • Contact details for DPO (or other contact person) • Likely consequences • Measures taken (or proposed) • If it’s a processor breach, ensure you have received accurate and granular info (should be addressed in the contract) • Establish a lead contact (DPO or another)

  23. Disaster Recovery and Incident Response Thank you • Paul Lanois • Director • T: +1 650 422 9122 • E: Paul.Lanois@fieldfisher.com Mirena Taskova Senior Associate • T:+1 650 276 6692 • E: Mirena.Taskova@fieldfisher.com Joel Froese Independent Security Consultant • T:+1 803-629-6067 • E: j.froese@thequipu.com

More Related