The Costly Mistakes of Being Unprepared

thank you very another 18 minutes left it's a quick point did anyone see talk here the room well I always hate going to see some talk right before mine because I get a little bit self-conscious especially if it's somewhat hidden I feel like this is a 20-minute hot light of what he just took about a little bit different here for the two that we're here so but Michael Wiley I run my own need for the routine year and I just sold it Ritchie solutions stuff transit and the director of cyber security services that I did penetration testing blue teaming building cybersecurity programs for organizations mostly out of California being in cyber security I think I did

about twenty different specific last two years they were pouring through rings clock EGR steep opening to and we're really building up so this a we're a long I impress it now down into what 17 minutes left a little bit more of instance it's some different frameworks but can don't like but the one thing I wanted to take away from this is a quote preventing problems is often less costly and more effective than than reacting to them after they occur a the goals it he took or story that he gave me was pretty thing and so what he did he did a penetration test he had his report that went over at the client and one of the patients he gave out was you

need to have HTTP website and of course this was an e-commerce website so you would thought they already had that but they didn't and the business owner or the management team didn't understand why is it it's gonna cost me money why should I do that well here's the security reasons you mean Shan you protect cardholder data except but what is he gonna do for me and so he finally to go back and think about that and look at the business case and say well okay if you do HGPS Google's gonna give you a higher ranking you're gonna get best better SEO immediately said put let's put these three people on it let's do this right

away so he had to start changing the way he wrote these reports and aligning some of the things that he did with the business goals rather than just security and I wanted to take this the presentation here and give a little more high-level and help some of you in your organization's present some of these topics especially around Incident Response and defense to management especially senior management who might not understand the importance of what we're doing and I'm passionate about technology and security and so I love sitting there spinning up new servers security tools i coming Alize conferences and i go home and spend hours and hours playing with this stuff but unless we have the business case and

we can align it with business goals it's very hard to to sell that and so I have an MBA I spent two and a half years doing a lot of business cases and SWOT analysis and so I might be able to help you with some of that track position or bridge the gap between business and what we do as far as security so we're going to talk a little bit of business goals be able to demonstrate relevance to management high highlight some finds in recent cases you look up these studies give you some ammo and look at some of the Incident Response budgeting okay and so the one thing I've seen as far as some trends before and this isn't that

far in the past a couple of years ago even we saw and the the on the book I'd this all came from Harvard Business Review so they looked at a couple of the different breaches and they looked at the crisis before during and after their breaches and they kind of looked at what happened so Home Depot had a 21% increase in its not events per second it is anyone know earning per share you get a book see I remember to do one of these okay and then by the end of February 2014 target had the highest percent stock price regain in five years that they saw 2014 Sears after their breach stock price rose after the the breach

announcement as well it was a steady increase after that and nine million dollars of target's breach related costs were covered by a cyber insurance so it was a lot of like push it off or how is it really going to impact us everyone we're talking about reputation loss but then we're seeing well if there's reputation loss why is the value of their stock in the company going up after this and so I saw a lot of this and it was a little bit troubling troubling to me in the past and now what I'm seeing is more of in the recent years just in the last year or two even that we're seeing ok maybe it's not

reputation loss but there's some other quantifiable metrics that we can use as far as harm to the company so 2018 recently uber paid or is projected to pay a record 148 million dollar for concealing their data breach all right so they didn't do what they were supposed to they had a big data breach and now they have to pay a bunch of fines 2018 Facebook this is again it could but they're supposed to face out 100 or sorry 1.6 3 billion dollars in fines for the gdpr breach that they had or violating gdpr dozen 18 Atlanta paid 1 or 2.6 million apparently that's equaling up and if you were at Jake Williams talk but he talked

a lot about that to cover from ransomware breach 2016 yahoo had to pay and this one was interesting because it wasn't a fine and it wasn't a loss of reputation but they actually had to write a check for 350 million dollars to Verizon because they didn't do the right thing they didn't announce it in time and there was a lost reputation so I don't know how they come up with that figure but they had to give them a check for 350 million dollars to say basically sorry we did bad ok and so I like to give this scenario when I talked about Incident Response and I think this helps when you talk in your management or

executives and not just talking about the nerd stuff that we so much but give them a little bit of a scenario on what this is like and so I use this as illustration for students when I teach as well as for executives and I was gonna change this because I realize if you're from Georgia a prominent as from the earth earthquakes as I am right but as I was gonna change it sometimes when I go to different regions or areas just the scenario but in this case I thinking about it on my way here and I don't know what to do for a hurricane so I can't really help you there's you're gonna have to try and and think about

this from the high scenario you take your family California it's a business trip and your family sightseeing they're on the Hollywood or Sunset Strip they're taking a look at the different things the Stars and whatnot and then middle of the day there's a major earthquake and you're at the clients office or a conference room and they're out on the strip and you you think what am I going to do I want to check out my family make sure they're okay and if you didn't plan this out I kind of go through this this essentially a tabletop scenario with some of my clients so in California the past in Northridge so we had a big earthquake some of the roads did

collapse water pipes were bursting the supermarkets were sold out of certain foods and water and cellphone towers were not working quite well so if you think about that how do you communicate if the cell towers are down and I started think about this as well for myself of okay if the cell towers go down I there's hardly no landlines left so I'm not gonna be able to call my family I have a ham radio but my wife doesn't know how to use it and we haven't talked about what tower we're gonna use or frequency or anything like that if I want to start driving or you wouldn't drive to your family or whoever you're trying to get to if the roads are

collapsed or if ways doesn't work or Google Maps don't work it's a little bit challenging I even thought about this most recently because my wife's pregnant and we were thinking about well there's an emergency where's the nearest hospital and so I googled it but besides googling it I didn't know how to get there or the directions so some of these things we take technology for granted and helps us in our everyday lives but we also it can potentially be an issue in a disaster situation do you have the skills for my first aid right I can obviously Google or YouTube how to put a tourniquet on but if I've never done that or practiced it or seen you in doing it's probably

not the best for me just to figure that out on the spot and then if you're thirsty do you have water in your car do you you keep these things nearby in your house do you have anything I know they say well you can go to the toilet bowl and you can drink water out of that but has anyone looked at their toilet bowl recently the tank of it might have some like reddish orange color to it I don't know what's in don't want to really drink that and if you're hungry obviously we have food and refrigerator but what if it's the day before grocery day or what if then because the pipes burst McDonald's is

closed or chick-fil-a I guess out here is really popular so you can't really get food in that case you have sometimes we talked about this with your family and this is even prompt me in my own livestock with my family of I want to go see if they're okay but what if they're coming to see if I'm okay and we can't call each other so not having a plan set forth and really just saying well if that happens we'll deal with it it can end up costing us a lot more in the future and I think having a snare pair like this will help you talk to management if they don't really understand the technological part of

instant response but give them something they can relate to and maybe change earthquake if you're from Georgia to something you could relate to but for me it's an earthquake okay and I can kind of then transition that into a scenario that they might actually see and so this was a case that I worked on Incident Response for a post production house in the Los Angeles area one of the the colourists ends up calling and report an incident it was a senior editor that finished a large blockbuster film you can imagine it was like five hundred million dollar production and they said the mouth started moving and then they saw that the project inside the editor

tool closed down a different project ended up opening up the editor didn't really they didn't have it had an instant response plan but obviously no one really read that the plug on the system um and so they ended up calling sound saying key take a look at this we want to figure out was this did the next blockbuster but we just packed is it gonna be on Pirate Bay tomorrow we was this just a glitch what really happened here and so we came out to look at it and so in this scenario if you're thinking this through talking with your executive do we have advance logging and in this case no there was no advance

logging there was no record of pretty much anything that was happening they had free version of some type of net flow or s flow so we could see some transactions but it was only reporting up to an hour so by the time we got there there was no gate it left there to no packet capture on the network no central log system the users weren't trained to preserve all town memory so they thought something's going on let me just pull the plug and then we lost a lot of data there the B and C it was installed on every system the network without any type of logging and of course they had the same password

for the last 15 or 20 years so we really couldn't figure much out there either there was no baselines of any systems networks or how they should look or how they shouldn't look so it's very difficult and so coming back to this maybe you can play a scenario like this to management or senior management or even your supervisor up through the disaster national disaster that they can relate to and then something else like this it's maybe somewhat relevant and talk about all these things could happen and then doing these and sometimes when I do tabletop exercises anyone let me get a hands up if anyone's done tabletop exercises be a few people is anyone done

it ransomware tabletop exercise a couple and for those couple people that have done that have you discussed in that tabletop exercise who makes the decision if you pay the ransom anyone you do that two of them that's good a lot of times when we go through that scenario people don't even think of that it's kind of quiet in the room they say well we thought about ransomware that's in the news everywhere but we never really thought about who's gonna pay that at that point or who's gonna make that decision and if we only have 24 hours what's gonna happen okay so I gotta I'm gonna kind of skip through these since we briefly spoke and a little short on

time so I pulled this the statistic appear of data breaches purposely didn't want to grab numbers or dollar numbers but I wanted to pull records since these single it'll be a little more accurate so these are a bunch of big data breaches that happened recently and the number of records that were stolen obviously Yahoo has that giant line above everyone else we can still see the others are in the millions as well so my biggest issue and it's kind of us back what Jake just spoke about in the other room is that with some of these breach statistics how do you quantify the impact of the breach right so we'll see they'll say we've we've had spending

dollars spent we've spent this much time we'd do whatever but it's kind of different depending on who you ask and so so quantifying reputation as well let's say we have lost a reputation in the past I didn't have these fines that I could bring to the CEOs or CIOs or CISOs to say this is what it's gonna cost you or has cost people in the past but they'd say ok what reputation we get if we if we leak the new Marvel or Disney or Netflix or whatever film were working on or if we have 50 million credit cards that are stolen sub yes we have reputation harm but going back to some of the other data there our stock

price might actually still go up it's not really gonna do that much of reputation and we can't really measure that regulations on reporting breaches are fairly new and unclear so gdpr if anyone's how to deal with that there's a lot of questions and ambiguity with that and then the new California consumer Privacy Act if you're doing any business in California that one is one of my favorites there's missing sentences like the census just stopped and the laws that they've passed so you don't really even know where they're going with some of that stuff and so they also have some of the privacy laws and the breach laws are now having reasonably likely to cause harm and I'll show you a couple of

slides on that and it coming up here but there's also some discretion on the company of was did we really think someone did this or if they stole the laptop could they really have seen the data on it we're gonna say no and not report it we also see that the media figures there there's no vetting to it I've clicked through some of these different articles on whether it was the Atlanta data breach or the Yahoo and it's these reports that here a number and if you just look at the Atlanta data breach and what it cost you'll find numbers anywhere from a million to seventeen million dollars and that's a little bit of a gap between there and

sometimes I'll see articles and I look at the date and then the amount they're reporting and they're still all over the place so I don't know where these people are getting the figures they will they'll cite someone else or some other article then that you go there and that one cites some other they're kind of like citing each other and this this vicious circle thresholds and off you station get out of jail Creek free card so some states and I'll show you a picture on that coming up as well that there's certain states that if you don't hit a certain threshold of records that you've had or you've off you skated them or encrypted them and those terms are

very vague as well so if you off you skate the data or truncated so if you take the last digit off your social security number is that still for each do they still have to report that that's not the true record and then most of the statistics are based off of energies the interviews large corpora so you say what's the average cost of a ransomware incident well you look at what survey they're citing and it was fortune 500s or it was the fortune 500 that got breached or whatever that was and it's not the smaller companies so it's not true data that they have out there and then it's also biased and Jake just talked a lot

about this but there's a lot of reasons to under report or over report on this couple different things so I did a lot of research on the financial sector and breaches because I found for CBS this year and tax software so if you use a CPA there's a good chance that your data is flying across and clear text on the network so I've reported those the vendors and they're still working on it from the beginning of this year so I thought well I want to see if there's what people are reporting on as far as breaches in California because we have this new California consumer Privacy Act and a few years ago they revised another

breach notification law that talked about you have to submit the Year breaches to a database and so I found some interesting things when I searched every single breach record that I could find relating to tax and CPA in the California database we saw statements like we found unauthorized access to our secured network okay well if it was so secured how did you get breached and why are you reporting your breach in this database the attacker managed to hack into our computer systems despite these a firewall and antivirus okay so it's still not secure though backup hard drive was stolen though they require a proprietary softer for files to be readable okay you can use strings

against that or you can download the free trial and still get that stuff we take aggressive steps to protect your information to ensure all records are securely locked the data was not secure locked it was unencrypted and therefore you had to report it if it was even encrypted or truncated or off you stated you didn't even have to report this so even though we have these laws of regulations coming out as far as breach notifications we're still seeing a lot of business they're trying to protect their reputation them elves and they're not really accurately reporting the information they have they're trying to skew it so it doesn't look like they're so bad okay couple quick case studies

I'm going to breeze through these since I'm almost out of time Yahoo they had two different breaches if you weren't aware one of them was a smaller one only 500 million curds and then the larger one was the three billion that made a lot of news and this is one of the first ones that we saw real tangible quantifiable numbers out of this and so we saw that I'm gonna skip over to the next slide so we can see those we saw that they had the sec actually find them they stepped in and said we're gonna find you thirty five million dollars for failure to promptly report so you didn't let everyone know about this breach in time

and then Verizon also took a check from them for 350 million dollars because the lot lack of reputation or that they didn't let them know about some of this during due diligence the Atlanta ransomware incident obviously earlier this year they had multiple people involved with this a lot of this could have been fixed they had SMB version one in public facing servers this was all reported from security researchers they had a lot of people involved and so this is one I'm still digging for a lot more information on the Atlanta one the reason I'm interested on government agencies because they have to report more than the private sector does and they're a little bit a little bit more

held to that standard and so we can actually see that broken down so rather than Yahoo saying we had to spend all this money and we have no idea what that is at least with this Atlanta one we can see break down who they paid and how much we don't know exactly what they did so you had an MS SP come in for $60,000 well what exactly do they do they augment the staff how long were they there we don't see those invoices but at least we can see that they're $60,000 and sure we file for a request we might be able to have access to a little bit more of this but we could see that they

had PR companies come in Cisco from malware reverse engineering they had SecureWorks come in Ian why come in for instant response and then this one is well this is probably one of the first ones there's debate between a couple different companies but voya financial they're a top 25 broker in the u.s. so if you think of like one of your online trading companies they have four $418 net assets but they were finding 1 million dollars from the SEC this is one of the first times that we've seen a fine from the SEC just for the breach not for failure to report on time but just for an actual breach ok and then this is another part that's really

interesting is privacy laws we're seeing a lot of them come in that are actually having quantifiable laws so in California 2020 if you're doing any business with us in California or have any residents in California there's a couple different thresholds but we're seeing that there's actual quantifiable fines for every record that you have breached or every violation GDP are tons of money that people are getting fine for that as well and in the past it was really just the Attorney General could sue your company or file a lawsuit if you didn't follow the law but now we're actually seeing a physical dollar amount and these laws and we can see that a lot of different states

almost every single state here is has an electronic breach laws some of them are also paper some of them do have with harm threshold so if you have a certain number of Records or if there's no harm or reasonable assumption of harm then you don't have to report and then we see a lot of other laws that are industry specific so if you're in health care and other areas okay it's my last slide here lessons learned um so what we saw is that there's high tangible cost associated with some of these incidents whether to pay a ransom you have the IR consultants and you come in breach notices regulatory fines and these are all increasing we see that

incidents could have been prevented at a lower cost if you would have done little bit better defense and then breaches need to be reported promptly and if they're not we're starting to see a lot more of the customers and laws come into place that are now forcing businesses to do this and so sometimes it's even in a contract that says we will not do business with you unless you have incident response and all these defenses in place so that is for the the slides it was a quick 20 minute truncated version of my longer talk if I hadn't one has any questions I have two things to hand out I already give one out so

questions and prize for the question it's good yes yes

yeah

well it's funny to mention that because I was thinking about that right before the talk of like wow it's up to 15 million dollars I'm sorry yeah so the question was my thoughts on her pay should paid the ransom in the beginning or is it good that the went ahead and did their own instant response well they were originally asking the the attackers or adversaries were asking for I think $50,000 so I think financially it would have been better for them and that that case to pay it my personal take on it is do not negotiate with terrorists and we see an increase 165 percent I think increased somewhere around there and ransomware in 2014 quarter-over-quarter

because people were paying it so I think it encourages it but you're gonna have to make their own decision within your organization I can't tell you what's right or wrong you know if you want to come up I'll give you this one for that question and the other question yeah

yep

yep

when I think I think because they started if I remember correctly from the timelines that I saw was that it was taken away but they had already or publicly talked about the the infant or that they were not going to pay I don't know which one it was but the city of Atlanta talked about it before that and then it was taken down after that any other questions yes and back

yes so the questions about cybersecurity insurance and and how that's going so I know with I think it was the Yahoo incident that they ended up paying the insurance paid ninety million out of the couple hundred million or whatever it was I think G his last talk was really good on this as far as yeah if you hadn't seen that the he talked about how a lot of them aren't paying out exactly I've seen some clauses that say you have to be doing XYZ beforehand you have to have do care and if you were negligent there's certain things that don't fall in that but I think that in the past they were pushing it off on that they

were taking the risks and they were transferring it to someone else but now I don't think that's really fixing the problems sometimes they're saying we're not gonna pay the fines or we'll we'll do it but you have a whatever million dollar deductible and some things are getting padded in there like Jake was just talking about that shouldn't really be in there so I would recommend cyber insurance I just don't think it's the solution you can't have no security and then transfer the risk to someone else thank you think he left so if you want to come grab the book for your question thank you very much appreciate it