Live 1057

Free Internet Radio Stations
KevvieFowler Latin CACS 2019 Santiago_CHILE

KevvieFowler Latin CACS 2019 Santiago_CHILE


let’s try this again
good morning everyone awesome thank you so much I apologize
but this session will be in English only so does anyone here not speak English great for the people who speak half
English and half Spanish I will speak at a very good pace but I do apologize if
you are with someone who does not speak English let them know that Nico from
Deloitte will buy them lunch okay to make up for it so please take them up on
that we’re gonna talk this morning about cyber defense ability in Incident
Response which is one of the most important topics in cyber in my humble
opinion and it’s interesting this is my first time in Chile I’m based in Canada
and Toronto specifically and the winter that you have here in Chile I didn’t
know how to pack when I was coming down we have winter jackets we have snow
shoes we have scarves we have all of these things but I decided to pack as if
it were summer on the way to the conference center today there was a lady
walking down the sidewalk she was wearing a scarf a winter jacket in
mittens based on this temperature I was this close to wearing shorts sandals and
a tank top but I was convinced otherwise so it’s a little hot here but we’re
gonna make the most out of it and just before we get into incident
response and cyber defense ability I’m gonna let you know a little bit about
myself so again I’m Cathy Fowler I’m a partner and I’m a global cyber incident
response leader at Deloitte what that means is we help organizations prepare
for an incident proactively during an incident we actually go in and manage
the incident for a client and after the incident is managed
we help them with legal defense so if they need an expert to testify as to
what happened to them if it was their fault or not their fault the scope of
the incident we serve as expert witnesses and we help them improve cyber
security controls afterwards I’ve been in the industry now for over 22 years
when I started I was the young guy in the industry now I feel very very old
looking at the video that we saw earlier today it was great to see computers that
are older than I am I think they were from 1969 which is amazing it makes me
feel young at heart but when I’m not a Deloitte fighting cybercrime I’m quite
active in the security community so I do a lot of work with media I speak to a
lot of conferences and I’m an author as well I’m author of data breach
preparation and response which is a book and sequel server forensic analysis I’ve
also written chapters for lots of other security books that are out there in
show of hands has anyone actually read any of these books one hand in the back
awesome I was gonna feel really bad here so that’s my background I’ll be bringing
a lot of stories a lot of experience and I hope you enjoy the session so when we
look at cyber security today again I’ve been doing this for 22 years and I can
honestly say that trying to manage cyber risk is more difficult today than it has
ever been in the history of cyber security we have what’s known as a
perfect storm of risk so the threat landscape is changing becoming more
complex going back before I was a developer you had to write pages and
pages of code just to draw a box on the screen now you can go to the internet
you can download very sophisticated threats that someone else has developed
type in an IP address hit the attack button and it’s that easy to launch a
very sophisticated attack you don’t need a computer science degree you don’t need
a lot of education you just need to be motivated in order
to do so so it’s very difficult in terms of how complex these incidents are
getting it’s also complex because there are so many security controls that are
out there in the industry you have firewalls you have intrusion prevention
systems you have end point detection controls the sole purpose of these
controls is to generate a lot of security events it’s not uncommon for
organizations to get millions of events sometimes per day sometimes per week
research shows out of all of these events you have to find the 1% of the 1%
of all of them and those are the ones that you need to be responding to easier
said than done security teams are very overwhelmed trying to manage the amount
of events and alarms that they’re getting the repercussions of cyber
incidents is changing as well you go back years and years ago you were the
victim of a cyber security attack you can just say that was the nation-state
there’s nothing we could have done to protect it that’s not good enough in
this day and age and you have a lot of laws that are changing if you look right
here in Chile there’s been a lot of activity when you look at Latin America
and in Chile and the big bank hack from last year as well that’s driving changes
from a legislative and regulatory standpoint and the last point I think
I’ll capture on this slide is there’s a global skills shortage based on the last
research that I saw for every cybersecurity expert so pretty much
everyone in here for each one of you there are 10 open jobs globally for
cybersecurity people they can’t find enough qualified people you can take
that stat you can go back to your employer and you can demand a raise if
you like with that so don’t say I didn’t help you as part of this session so
those are the risks and that’s why it’s so difficult to manage cyber I want to
take a second though and talk about some of the attacks that are out there some
of the most notable cyberattacks and we have
extortion driven attacks you can see in the call-outs on the right-hand side of
the screen and we have data breaches I’m going to talk about just those two not
everything in the list and we’re gonna take a a deeper dive into them and
hopefully we can get into some content that maybe you haven’t seen regarding
these attacks so the first type of attack comes down to extortion driven
attacks the assumption I’m gonna make here today is everyone in here is
familiar with ransomware has anyone here not heard of ransomware don’t put your
hand up anyone okay good ransomware our standard viruses they
infect a system they encrypt data and they hold that information for ransom
you pay a ransom in the form of some sort of cryptocurrency that might be
Bitcoin that might be litecoin and when you pay that you get access to your
information again that’s the way ransomware was a few years ago
ransomware has changed though go back a few years ago you could hit by
ransomware you might look for backups you restore information from backup and
you say that’s fine you resume business operations and that’s well and good
modern ransomware today though is much more complex modern ransomware has
backdoors that allow people on the outside to get access into the
environment so when organizations get hit with
ransomware any type of ransomware it’s important that you don’t just look
for operational recovery you have to figure out what type of ransomware you
got hit with so what’s the specific family or strand or type of ransomware
what modules were actually enabled on the ransomware does it have a remote
access module if it does they need to have a broader investigation to do to
figure out what they did within your environments it’s not just operational
recovery based on the attacks we’re seeing as well it’s quite interesting
hackers break into companies they jump from cysts in the system using
lateral movement they identify key data they consolidate that they exfiltrated
right before they leave van leash ransomware
and what does that do it covers their tracks so it makes it very difficult for
forensics and Incident Response people to actually manage that incident and
we’ve worked with companies who actually pay a partial ransom so the organization
will say we have backups we’re going to restore but we don’t know if the hackers
did anything else within our environment so their target a few key systems that
have the sensitive information on it negotiate with the hackers to get a
partial ransom payment just so we can get access to the logs and the forensic
information we need to discount the instance of a security breach or
exfiltration of sensitive information so it’s very very difficult when you’re met
when you’re managing modern ransomware today and that’s reactive ransomware
it’s loud people know when an incident actually happened has anyone here heard
of a proactive extortion driven attack no so what a proactive extortion driven
attack is it’s when cyber criminals wake up in the morning they wake up they say
you know what I want to try and make some money
instead of me trying to hack into a company whether it’s social engineering
or thorough vulnerability and unleashing ransomware in the environment I’m not
going to do it because it takes work what I’m gonna do is I’m gonna type up
an email threatening that company and then gonna send the email to the company
that if they don’t pay me a certain amount of bitcoins it’s a smaller amount
typically I will hack their company I will steal their information I will
unleash ransomware do you think that actually works
companies are paying they’re getting these letters and they’re saying I can
pay a small amount of ransom and not have an issue as opposed to not doing it
and run the risk of a massive incident and they’re paying so nothing has
actually happened and keep in mind cyber insurance policies does anyone hear of
cyber insurance you know few people with cyber insurance a lot of times you have
to prove that something happened with proactive extortion nothing has actually
happened there’s a threat of something happening so a lot of times there’s not
coverage to actually provide to the company so it’s very very difficult and
very very different to manage if we look at extortion driven attacks so cyber
criminals their goal is to make as much money as they can with this least amount
of effort as possible for like teenagers they want to do as little as they can
and just get by so there’s a huge part of the population who are still not
dependent on computers and technology believe it or not we have tradespeople
Handyman etc they don’t necessarily need computers and whatnot to run their
businesses when they’re small scale cyber criminals still target these
companies instead of typing up an email in sending that to the company what
they’re doing is they’re typing a letter keep that in mind
they’re printing it out they’re going down to the post office they’re buying a
stamp they’re mailing it to a company the
owner of the company opens the letter and it says congratulations you’ve been
targeted for extortion pay us money or else we will call enforcement or call in
a fake bomb threat so they disrupt your place of business we will do SWAT and
talk about a hostage situation and that will disrupt your business for a number
of days and what do you think your people paying
yes it’s scary on the screen in front of you you’ve examples of both emails that
were typed up and sent electronically to companies proactively demanding a ransom
as well as a letter that was actually mailed to another company doing the same
very very real so extortion driven attacks are here to
stand a lot of people ask Kevi should we pay the ransom should we
not pay the ransom they’re writing a policy and they want a blanket statement
I am NOT Pro I’m not against I’m pro-choice I think organizations have to
have a process in place that if anyone within the organization whether it’s a
staff member whether that’s the IT guy whether that’s an executive if they get
one of these notices they should ensure that notice is sent to the right team
internally to figure out how to respond to it okay so it’s very important that
you have that collection process from a defensibility standpoint because in the
event that someone gets it saying I think this is a scam discards it then
something happens that’s liability that’s what you want to avoid from a
cyber standpoint next I want to talk a bit about data breaches and when you
can’t talk about data breaches without first talking about the types of data
that the hackers are after and there’s been a lot of activity here in Latin
America and specifically Chile in the financial industry and a lot of press
regarding a major bank heist from last year and the fear I have of this is that
everyone is going to be focusing on banks saying cybersecurity is a big
issue for the banks and it’s not an issue for just the banks what we’ve done
at Deloitte because we have people who are wired this way we have people who
masquerade as others on the dark web and they sit there and they scan and they
look for the type of information that’s being requested in the type of
information that’s being sold and based on that we’ve collected the types of
information that is most desirable by people in the underground economy to
make money this is the type of information that is
stolen the most we have a bunch of gray circles on the screens here and that’s
the type of information that is most targeted in the most sold I also have
the price of the information in USD so the United States currency so going rate
for the data and we’ll take a second just to talk about that so the bottom
left of your screen we have health information that’s personal information
that people could use they typically use it for health fraud that’s going
anywhere from $1 to $1,000 per health record we have social media information
so that might be your Twitter account that could be LinkedIn that could be any
other social media account the more popular you are the more money your
account costs or can be sold for I should say on the dark web you often get
the question why would someone care about my personal photos or other
pictures the more popular you are the more people if you’re gonna want to see
what you have to say sending spam from traditional email accounts is a dying
business a lot of times people get emails they look at that and they say
I’m not gonna click on it they have awareness around it when you look at
social media accounts people are much more trusting of a message that comes
through a social media platform than they are from an email so cybercrime are
now sending spam out of social media networks and the monitoring and controls
are pretty much non-existent in these areas that’s why it’s so lucrative
there’s also something known as BYO I I’m not sure if you’ve heard of that
it’s bring your own identity and people are setting up websites instead of
requiring a separate username and password they’re saying login with your
social media accounts so now social media accounts are leading to a lot of
other types of information as well and that’s why they’re so desirable loyalty
rewards a huge surge what’s happening in the industry today in loyalty rewards
people are getting access to accounts getting points transferring a points
from account to account cashing in points for merchandise and are selling
the merchandise to make money and the thing is as a consumer I think I’m
guilty of this as well I I won’t mention name specifically I’m gonna try and get
through the session without mentioning names but I will collect points whether
it’s points from a restaurants points from travel I will do that for a year or
two years then I’ll log into my account and see I have 10 points I’m gonna think
that loyalty reward program sucks in reality someone has got access to my
account and they siphon the majority of my points out it is much more difficult
to detect these crimes and there are much fewer security controls when you
focus on laural to award points easy access just as good as cash personal
information first name last name address other personal details very very highly
targeted by by cyber criminals we have financial information you have credit
card information access to online financial accounts also equally
important that’s going anywhere from $3 to $5,000 depending on how much money
you have in your account and then we have usernames and passwords in
regardless on what the site leads to people can associate a username and
password with an identifiable individual and they can get access a lot of times
to a lot of other sites that people have reused usernames and passwords again in
media there’s been a large focus on banks so both in Mexico there were a
string of banks that got that got hit from cyberattacks in Harran Chile of
course there was that large bank probably the most high-profile example
we’ve had in the past year the thing is when you look outside of South America
in other countries hackers are breaking in the banks they’re seeing the
financial information they’re walking right by it they’re not touching it
they’re grabbing the personal in a health-related information and then
they’re leaving not touching the financial data does
anyone know why shelf life right now I’m a hacker I break in I steal information
from a bank I might be doing credit card fraud or something else associated with
it banks have fairly good detection mechanisms to detect fraud so the life
expectancy of that information that stolen bank information I have might be
a few weeks or a few months depending on how quickly the bank can detect fraud
when we get into personal or health related information how often can you
cancel that and change that information aside from witness protection there’s no
way to do it the life expectancy goes from a few
weeks or a few months to as long as a person stays alive so I’m in my 40s now
I think I have another 40 years left in my life if someone broke in stole my
personal information it’s valid for the next 40 years instead
of hackers having to quickly monetize the information they could hack in they
could steal it they can retire for a few years spend the money they have and if
they need more money they can come out of retirement and then sell the
information they stole years ago because it’s still valid and that’s why this
information is so desirable now so it’s not just financial information it’s not
just for the banks in the lime green circles we have the size of the industry
so the type of frauds that people use the information for I’m not going to map
through all the different lines here but these slides will be available if you
want to do that mapping you can but those are the types of information that
are most desirable by hackers so then the breach happens organizations have
this information and it’s not just the banks again it’s any information any
organization that has personal data who has calculated information loyalty
reward points that means every organization in every sector big or
small eventually they will suffer and when breaches happen the cost of a
breach varies based on the most recent research from the Pony Monde Institute
the cost is three point eight six million on average for a breach
that’s from 2018 in 2019 the researchers updated there was three point nine two
million so just about four million dollars on average to manage a data
breach but there are a few factors that either drive up or drive down the cost
I’m gonna step through a few factors I’m not gonna go through everything we have
here the cost of technical investigation so when an organization suffers a
security breach you typically go out and you bring in cybersecurity experts in
forensic experts you can sit there you can scan the environment identify what
the hacker did what access to information they had and what they did
with that information so it’s a cost typically associated with that the more
locations that you have when you look at retailers gas stations even banks we
have a lot of locations the cost typically goes up because you have to
deploy these different tools and do the investigation on more systems that don’t
necessarily have logical connections the cost of customer breach notification
that’s the cost to notify people if you look right here in Chile
you have the SBI F that regulates banking if you suffer an incident you
have to notify the SBI F this is before the big bank heist it was as soon as
possible not within a certain amount of time but as soon as possible and that’s
been changed now to 30 minutes is that easy to do to do an investigation and
then notify within 30 minutes show of hands is that easy to do you
know we’re gonna talk about just so difficult that is on the next slide but
you have notification and I’ve actually read I haven’t confirmed 100% but I’ve
read in the wake of that big bank heist from last year the SPF has updated the
requirements within the ran and that was also not just to notify the SBI F but
that was direct notification to the customers as well so the cost of
Reach’s are expected to increase because you’re not just notifying the regulator
you’re notifying all of the victims as well and you have post breach protection
services so a breach happens most organizations offer identity theft and
fraud monitoring services for victims so that has a cost and the cost is about
6070 dollars USD per person to monitor for a year so when you read about these
big breaches that are millions so if you look at again not mentioning companies
there is a large dating site they had I think 500 million customers that got
hacked the cost for just the fraud and the identity theft monitoring was
astronomical and that can actually put organizations alone out of business just
to pay for the cost associated with that then you have revelatory compliance so a
lot of times auditors will come on-site they do an audit just to make sure
everything happened there’s a cost associated with that you have public
relations you might have messaging communications that you want to send out
as well and then you have litigation so you have the class-action lawsuits
there’s different types of lawsuits that your organization might face if you
suffer an incident we’ll talk a little bit more about that on the next slide
and then you have a cost actually improves cybersecurity most
organizations that suffer an incident improve cybersecurity afterwards
partially to prevent a repeat incident from happening again but also selfishly
to help restore trust to go to our customers and say yes we suffered an
incident but don’t worry we improved their cybersecurity spending so come
back and do business with us okay so it’s a multi-pronged attack they take so
that’s all above the surface and that’s within on average about just under four
million dollars per breach but they were cost below the surface that a lot of
people do not consider and again I won’t be going through all of them I’ll focus
on just the top two insurance premium increases just like a car I’m driving a
car get in an accident I call my insurance
company they say don’t worry we’re gonna take care of you they do a good job
fixing my car and then the renewal period comes up and then look at the new
bill thinking wow that’s a lot more than it was before the exact same thing
happens in the cyber insurance industry and based on we did research recently is
between 50 and 200 percent increase in premiums that can be material when
you’re looking at an organization’s policy and what a cost to cover that and
also the increased cost to raise debt when breaches happen a lot of times it
can affect the organization’s credit rating not sure how many people are
aware of that so you can suffer a breach you might have a good credit rating you
suffer a major breach you might be downgraded to poor now to get bank
financing to carry debt you might be looking at an increase of 2% 3% 4% on
millions and millions of dollars so that again is another cost that you have to
consider and the list goes on and on I won’t be covering all of them today
again the slides will be available though if you need them moving forward so enough doom and gloom let’s talk
about what we need to do to actually ensure the way we respond to an incident
is defensible and what we have on the slide is a stopwatch and each number on
the stopwatch is a critical step that you typically would have to perform as
part of defensible Incident Response okay I’m gonna start at 12 even though
numerically it’s the highest I’ll start at 12 which is preparedness and that’s
what you need to do to prepare proactively for an incident if you look
at again the updates to the ran that were just most recently made now the
need for cyber security to ensure proper security with the organization has now
been said that within financial institutions that knee
to be a board level objective board members now have to demonstrate proper
governance of cybersecurity you can’t just hire a security guy the company’s
breached and fire the security guy and say wolf I don’t know I don’t know how
we slipped through our screening process he’s gone don’t worry now boards have to
demonstrate that they were intimate with the cybersecurity risk that the
organization had and how they were managing it’s very very different but
preparation is key from an incident standpoint we’ll talk a little bit more
about that next slide number one is detection most companies will go out and
they’ll write an incident response process they didn’t run simulations to
test that process internally then they say we’re ready for an incident or for a
breach and they monitor their systems and nothing happens
research shows someone on the outside identifies the incident and calls up the
company saying you’ve been hacked I don’t know if you’ve realized that there
might be a partner that might be an employee who sees their information on
the dark web etc but most companies skip the detection piece and when you look at
cyber liability today one of the key areas one of the key reasons why people
sue is because it took your organization too long to detect the incidents from
when the breach happened to when it was detected is too long and they start to
sue okay so detection is key and organizations proactively should take a
step back look at the sensitive information they have look at the type
of breach scenarios that are likely so based on our information in our nature
of business we’re likely going to be hit by ransomware or by an insider attack or
by a data breach and they should ensure that they have specific protocols in
place to manage an incident based on those and more importantly specific ways
to detect an incident based on those scenarios so our people have controls
but they’re not looking for detecting an incident
so after you detect an incident from an organizational standpoint what’s what
should you do next and that’s engaging your security incident response team
that’s the team internally that should be designated with people from legal
from HR from business from technology from security okay it should be
stakeholders from across the organization who come together and they
manage incidents they follow that response process we just talked about
but it’s critical that this team gets together and does that work it’s not
uncommon for us to see in incidents the organizations were saying my god we’ve
been hacked and they have some guy into in tech an IT might be a server guy or a
server gal and he or she might say oh my goodness you know what I went to a
conference I think I know what to do and they have him or her go into the system
try and figure out what happened she’s not authorized to do that within the
organization based on the organization’s policies so when that goes to court or
you have to defend that she wasn’t authorized she wasn’t properly trained
and that’s the worst thing you can do to help manage an incident so ensure the
right team and the right individuals are involved in managing the incident when
you get this group together the first thing they’re gonna do is qualification
which is number three on the screen you’re gonna sit down you’re gonna look
at the incident you’re gonna say this is a severity one two three or four again
it’s important that the security incident response team sets the severity
to be defensible people using the same measuring stick that same lens and they
can qualify the incident properly once it’s qualified you might look at it and
say my goodness this is much bigger than we expected we’re gonna go out and we’re
gonna bring in some third parties so you might go out and bring a third party
incident response company you might bring in a third party legal counsel to
help maintain privilege or it might be law enforcement the law enforcement
might be able to help with some aspects of an incident I mean the interesting
thing is it’s not what you do it’s the order it’s
done in and typically legal counsel might be the first call but a mistake we
see organizations make all too often is they call law enforcement early on law
enforcement goes in they grab the information they leave and then your
number 500 on the list and you’re waiting by your phone saying law
enforcement is there an updates in law enforcement saying we haven’t had time
to look at your case we will get to it so it’s important that you bring in
third parties who are focused on addressing your business priorities and
your issues that may or may not map to what law enforcement or other third
parties are doing so ensure to bring in the right people and then you want to
investigate you want to scope the incident how big was it how broad and
then you want to contain it steps five and six then you have to notify and we
talked a little bit that’s gonna be regulator notification if you’re in a
regulated industry that might be direct notification to business partners to
customers but you have to notify people and then you have to recover systems
that might be rebuilding if it’s a ransom er attack it might be cleaning
systems that are currently active and in production and that step eight step nine
is a step that a lot of people miss though and after you clean systems and
you rebuild them a lot of times people will say okay we’re ready to get back
into business and they tell the upper executives people tell people externally
saying hey we suffered an incident then we’re good to resume you resume business
operations and you realize you haven’t contained properly and an authorized
person still has access to the environment or there’s a repeat security
incident and that’s the worst thing you can do to a road trust in this day and
age to expose the fact that you don’t have your Incident Response together so
a trend we’re seeing as organizations if they manage the incident internally they
might have good security people they might have good forensics people they’re
gonna manage the incident then they call in an independent third party he will
come in look at what steps were taken from an
instant response standpoint verify that there’s nothing else within the
environment there’s no back doors there’s no ongoing and authorized access
and then they give it a clean bill of health and then business services are
resumed and we do a lot of that with organizations who again manage incidents
internally or sometimes with other third parties and it’s a cya thing at the end
of the day if something slipped through the cracks and someone still has access
to environment you can say whoa I checked and I brought in the independent
third party and they said everything was ok it’s no longer your issue it’s more
defensible at the end of the day step 10 post-mortem review and that’s sitting
down after the incident everyone gets a good night’s sleep they wake up and they
look at how they responded to the incident what went well what didn’t go
so well what can we improve on to be better and more effective responding to
the incident in the future and then we have post for each activities you’re
gonna be seeing this litigation spike in the next couple of years we’ll get into
we’ll talk about it a bit now stemming from the the high-profile breaches
you’ve had there are updates that were in the ran and which is great but
there’s also proposals for bills that are going to mandate cyber security
protection that’s gonna mandate controls that’s going to mandate notification and
that’s across industries I don’t know if that’s a year away or if that’s two
years away but as soon as those requirements hit then individuals as
well as business partners now have more grounds to actually sue your
organization in event of a breach and you’re probably not seeing it here yet
now just due to the like the legislative and regulatory landscape that you have
but there were four types of lawsuits that are most common with breaches you
have class action lawsuits so all of the customers of an organization that got
hacked and their information is out there
they get together and they sue the company that’s a class-action lawsuit
something new though they have individual lawsuits so people are saying
I’m not going to be part of that class I’m gonna sue the company on my own in
their suing the company it’s only the judgments I’ve seen her for $800 or
$1000 it’s not the cost it’s tying up your organizational executives who have
to testify tying up your legal team for years and years and years with these
one-off legal cases very very difficult to do and every time there’s a judgement
in one of these one-off legal cases guess what your breach is now front and
center again in the media you’re in the news again and you just can’t get past
the breach so these one-off lawsuits or individual litigation is a big issue now
for organizations third regulators and this is a trend we’ve been seeing in
North America specifically but regulators are not just fining
organizations they are actually suing companies there’s a high-profile case of
a hotel hotel company who an executive went on the news saying they had bank
level security they were spending a lot of money on cybersecurity to help
protect customer information the breach happened regulators came in did not it
and realize they weren’t spending nearly as much as they had publicly conveyed
and then they sued the organization who settled out of court there’s been a
number of these regulator driven lawsuits now which is very very
interesting when you look at it and then there’s a lot of lawsuits from business
partners or people you work with who might be impacted as a result of the
incident so a lot of litigation is happening now and on that topic of
litigation I know my time is running down here the most common litigation we
see is number 12 organizations who didn’t have the right security controls
in place the right base level of security if you don’t do a good job
there you’re gonna see a lot of litigation
how long it took you to detect an incident number one again we see a lot
of litigation from that respect and then it jumps the time between you detect the
incident number one two when you contain it if that was too long people sue for
that the time between detection number one and number seven how long you notify
people sue for that shareholders also sue between number one the time we
detected the incidents in number nine when you restored business operations
because it affected their investment so we see derivative lawsuits also very
very interesting when you look what’s happening out there and these critical
response steps will help you go back and formulate incident response programs and
ensure that what you’re doing is defensible the last slide I have today
is some additional points on what you can do to help ensure that the response
process that you’re following is defensible and when you look at the
definition of protection in the dictionary it means to limit harm or
damage to something I can limit harm or damage to any organization if they give
me a call and we demonstrate proper cyber response so a lot of people see
incident response as reactive it’s still protection because it reduces the hurt
that your organization feels so the five steps you can take is 1 review and
update your Incident Response program we talked about this don’t just write a
single document and expect it to be perfectly tailored for your organization
write a document identify your key sensitive types of information how
you’re likely going to experience a security breach again ransomware data
breach insider web server attack and make sure you have standard operating
procedures that address how you should respond to that specific incident or
scenario the next you should be running crisis simulations and again you want to
start with those breach scenarios and that documentation that you put together
and you run want to run these crisis simulations you want to invite internal
state holder’s external stakeholders and bring
them together to help manage the incident performing a compromised
assessment this is a new trend that we’re seeing out there where
organizations are saying you know what we spent a lot of money on cybersecurity
controls we think we’re okay my board or my upper executives keep asking if we’re
okay I think we’re okay but I’m gonna bring in an independent third party to
pretend there’s a breach they gather information from our systems and more
often than not they detect something that I’ve actually missed so bring an
independent third party to do an assessment and to give you a clean bill
of health you can provide that right to your
executives and more often than not you can identify a compromise that hasn’t
yet resulted in a breach but it’s just an incident and that allows you to
actually fix it before it mushrooms into something bigger so compromise
assessments are definitely key in the industry today we talked on the last
slide with a stopwatch about how to step through the Fencibles Incident Response
so I won’t repeat myself there but ensure what you’re doing is defensible
and how you respond and again it’s key to run post-mortem reviews and whether
it’s litigation whether it’s a regulatory body who’s coming in to
assess what you’ve done having that post incident report is great they look at it
and they say oh my goodness okay so that went well these didn’t go well and you
have an action plan to address what didn’t go well perfect nice and easy to
defend what you’ve done and that you’re doing the right things moving forward so
those are five key steps so I’m gonna challenge everyone here to go away to
reevaluate what’s happening within your organization’s and apply the ones that
you think make the most sense so that was my last slide I’m seeing the ticker
climbing down we have about a minute and 20 seconds for any questions does anyone
have any English based questions for me today I did that good of a job there’s no
questions if there are questions after whatever reason you think about later or
you weren’t comfortable talking about them in this session my contact
information is actually on the screen please do reach out to me there give me
a call or send me an email I’m more than happy to talk more about what we covered
today or even other aspects that we didn’t cover today but thanks everyone
for your time and enjoy the rest of your conference

Leave a Reply

Your email address will not be published. Required fields are marked *