8/13/2019 Lecture Slides-Lecture 3

1/29

HackMeCo, Incident Response

An approach to lecture #2

8/13/2019 Lecture Slides-Lecture 3

2/29

Weve been had, and it was all Georgesfault.

If you recall from week 2

8/13/2019 Lecture Slides-Lecture 3

3/29

Finish the job

Already we:Hopefully were preparedDetected and analyzedContained, eradicated?? and recovered

Dont forget the follow -upPost mortem analysis

Prosecute?Re-visit our controls?

An approach

8/13/2019 Lecture Slides-Lecture 3

4/29

Multiple shades of redDo we need to be XXX compliant?What does regulatory compliance mean tounregulated industries?

Regulatory and otherwisecompliance

8/13/2019 Lecture Slides-Lecture 3

5/29

Industries treatment of information is oftenregulated to assure society that protectionsmeet an agreed upon standard.

In such cases, the regulations are published,well known and expertise is available forinterpreting the legal language.

Health Insurance Portability and Privacy act(HIPAA): 355 pages in the federal register

Sarbanes Oxley: 65 pagesNERC Critical Infrastructure Protection 31documents (but carefully read - $1 million / dayfining authority)

Simple compliance

8/13/2019 Lecture Slides-Lecture 3

6/29

In the government regulatory scenario:The rules are knowableIts reasonably clear who the rules apply to As written into law, the rules are usually prettygenericIts possible to know where you stand

Simple sort of

8/13/2019 Lecture Slides-Lecture 3

7/29

Payment Card Industry Data Security Standard (PCIDSS): Industry self-regulation, notable failures in e-

commerceFFIEC guidance on Internet banking authentication

Guidance, not regulation, though Internet searcheslink pages which incorrectly refer to the guidance asregulation because US Courts are finding against banks which have notimplemented the guidance citing it as best practice

Non regulatory, but stillcompliance

8/13/2019 Lecture Slides-Lecture 3

8/29

8/13/2019 Lecture Slides-Lecture 3

9/29

Fines: Non compliance can result in regulatoryauthorities assigning fines.These range from relatively minor to NERC CIPat $1,000,000 / day / incident back dated to thestart of the non-compliant behavior

Fines are typically assigned directly by theregulating body, no court action required

Penalties vary - regulatory

8/13/2019 Lecture Slides-Lecture 3

10/29

Legal: In some cases (some levels of HIPAAviolation for example) non-compliance iscriminal

Penalties include fines as well as potential jailtimeCriminal liability is, of course, individual an can be applied to directors, employees and officers ofthe company

Penalties vary - regulatory

8/13/2019 Lecture Slides-Lecture 3

11/29

PCI penalties are civil in nature, not criminalMost levels include finesThey can also decide not to allow you to acceptcredit cards anymore

Penalties vary civil

8/13/2019 Lecture Slides-Lecture 3

12/29

FFIEC Guidance has NO direct effect, but banks are losing in court (sometimes) based onit

Civil judgments against the bank, based on non-compliance

Other standards may apply in the same way,keeps lawyers busy

Penalties vary civil

8/13/2019 Lecture Slides-Lecture 3

13/29

Security incidents these days can be noisy

affairsOrganizational reputations are at stakePerception of shoddy infosec standards can costyou customersUmbrella laws like the Federal Trade

Commissions Unfair Practices Act can be used tocategorize poor behavior and levy fines in lieu ofdirect regulation

Penalties vary market

8/13/2019 Lecture Slides-Lecture 3

14/29

8/13/2019 Lecture Slides-Lecture 3

15/29

In cases like HIPAA where third party agreements arespelled out, it doesnt necessarily make it simpler

HIPAA is a legal requirement for the covered entity, butthe BA agreements are civilWhile there is no private right of action against a coveredentity (you cant sue them) under HIPAA, the contractualagreement may allow for civil action against third partiesWhile you cannot contractually indemnify parties withrespect to violations of the law (HIPAA violations) youCAN indemnify against contract breach

Sometimes there are no audit requirements, justpenalties for breach or other evidence of non-compliance (e.g. state breach disclosure laws)

Complicated Landscape

8/13/2019 Lecture Slides-Lecture 3

16/29

Sometimes, as in the case of US States, regulation isregional

46 of 50 states have laws regarding notification inthe case of breach of Personally IdentifiableInformation (PII.) Each of them are different, someare VERY different.Washington State provides a free pass if the breached entity was PCI Compliant at the time ofthe breach Global companies with information stored inmultiple locations throughout the world have todeal with local law and regulation, wherever theymay be

Whos in charge

8/13/2019 Lecture Slides-Lecture 3

17/29

Break 1

8/13/2019 Lecture Slides-Lecture 3

18/29

If your customer must comply, they will likely

feel that you need to comply as well.EVERYONE tries to spread the liability aroundEven if folks arent spreading it around,sometimes liability spreads through courtactionEven without liability or regulatory mandate, being responsible for a breach can be painful

Business Realities

8/13/2019 Lecture Slides-Lecture 3

19/29

Sometimes, full compliance without therequirement is a marketing tool

Even though you arent currently mandated bylaw, someone in local or federal government isthinking about regulating you count on it.If a customer has to choose between you, and acompetitor that is compliant, you loseMOST government regulations regardinginformation security and assurance are justgood sense guidelines, and fairly weak at that.

Good Sense

8/13/2019 Lecture Slides-Lecture 3

20/29

What if you have to comply with:CIPA (Children's Internet Protection Act) CISP (Visa Cardholder Information Security Program)

PA-DSS (Payment Application Data Security Standard) PCI DSS (Payment Card Industry Data Security Standard) Federal Circular A-123 FFIEC authentication in an electronic bankingenvironment guidance FISMA (Federal Information Security Management Act) GLBA (Gramm-Leach Bliley Act) HIPAA (Health Insurance Portability and AccountabilityAct) Sarbanes-Oxley Act of 2002 (Public Company AccountingReform and Investor Protection Act)

This is the SHORT and USA ONLY list

Compliance Costs

http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/pcihttp://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/pcihttp://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301http://www.securecomputing.com/index.cfm?sKey=1301

8/13/2019 Lecture Slides-Lecture 3

21/29

Direct CostsNew infrastructure (new firewalls, IDS, logging

devices)Additional personnelInternal audit and compliance (time)???

Indirect costsOpportunity costsBusiness model restrictions???

Compliance Costs (cont.)

8/13/2019 Lecture Slides-Lecture 3

22/29

Direct BenefitMarketing MaterialSales (base on new marketing)Customer audit readiness???

Indirect BenefitProcess improvement (CMM style

improvements?)Risk reduction???

Compliance Benefits

8/13/2019 Lecture Slides-Lecture 3

23/29

Break 2

8/13/2019 Lecture Slides-Lecture 3

24/29

8/13/2019 Lecture Slides-Lecture 3

25/29

8/13/2019 Lecture Slides-Lecture 3

26/29

Nobody is demanding anything, we are operatingperforming the service we advertise.

Customers have asked our salespeople if we are PCIcompliant. Our salespeople said Gee, I expect thatwe are, but Ill ask The truth is, we are not PCI compliant, nor is there alegal requirement for it

In a short email, we explained this to thesalesperson, who then asked why not (and CCed theCIO and CEO) Not adversarial, just wants adiscussion since she sees it as a potential negative.

The Issue of the day

8/13/2019 Lecture Slides-Lecture 3

27/29

8/13/2019 Lecture Slides-Lecture 3

28/29

So far, its just an email conversation but theCIO has called for a meeting of the COO, CIO,Director of Marketing, Director of Operations,You and the Salesperson to discuss.The CFO (your boss) has asked that youresearch the topic and present your findings to

the meeting with your recommendations.Draft an outline of your presentation to themanagement team

Choose Your Response

8/13/2019 Lecture Slides-Lecture 3

29/29

Remember, just because you are not forced tocomply doesnt mean its necessarily a bad idea Weigh the benefits and costs of compliance orlack of compliance

Put a mousetrap in your lunchbox

Suggestions for theassignment