HackMeCo, Incident Response

An approach to lecture #2

Weve been had, and it was all Georges fault.

If you recall from week 2

Finish the job

Already we:

Hopefully were prepared Detected and analyzed Contained, eradicated?? and recovered Post mortem analysis

Dont forget the follow-up

Prosecute? Re-visit our controls?

An approach

Multiple shades of red

Do we need to be XXX compliant? What does regulatory compliance mean to unregulated industries?

Regulatory and otherwise compliance

Industries treatment of information is often regulated to assure society that protections meet an agreed upon standard. In such cases, the regulations are published, well known and expertise is available for interpreting the legal language.

Health Insurance Portability and Privacy act (HIPAA): 355 pages in the federal register Sarbanes Oxley: 65 pages NERC Critical Infrastructure Protection 31 documents (but carefully read - $1 million / day fining authority)

Simple compliance

In the government regulatory scenario:

The rules are knowable Its reasonably clear who the rules apply to As written into law, the rules are usually pretty generic Its possible to know where you stand

Simple sort of

Payment Card Industry Data Security Standard (PCI DSS): Industry self-regulation, notable failures in ecommerce FFIEC guidance on Internet banking authentication

Guidance, not regulation, though Internet searches link pages which incorrectly refer to the guidance as regulation because US Courts are finding against banks which have not implemented the guidance citing it as best practice

Non regulatory, but still compliance

In the absence of regulation or authoritative controls, courts and the general population will still judge your actions based on a perception of good or best practices. The fact that there wasnt a law or regulation forcing you to do a good job is often moot. WEP encryption IS a way to encrypt wireless transactions, technically satisfying PCI DSS (at one time) but nobody would have defended TJX security practices as best ~= large fines

What!?!

Fines: Non compliance can result in regulatory authorities assigning fines.

These range from relatively minor to NERC CIP at $1,000,000 / day / incident back dated to the start of the non-compliant behavior Fines are typically assigned directly by the regulating body, no court action required

Penalties vary - regulatory

Legal: In some cases (some levels of HIPAA violation for example) non-compliance is criminal

Penalties include fines as well as potential jail time Criminal liability is, of course, individual an can be applied to directors, employees and officers of the company

Penalties vary - regulatory

PCI penalties are civil in nature, not criminal

Most levels include fines They can also decide not to allow you to accept credit cards anymore

Penalties vary civil

FFIEC Guidance has NO direct effect, but banks are losing in court (sometimes) based on it

Civil judgments against the bank, based on noncompliance Other standards may apply in the same way, keeps lawyers busy

Penalties vary civil

Security incidents these days can be noisy affairs

Organizational reputations are at stake Perception of shoddy infosec standards can cost you customers Umbrella laws like the Federal Trade Commissions Unfair Practices Act can be used to categorize poor behavior and levy fines in lieu of direct regulation

Penalties vary market

Many companies today have limited or no regulatory compliance issues with respect to IT security, but have customers / business partners with such requirements. In these cases, third party handling of information isnt always spelled out in law or regulation, but in some cases like HIPAA (Business Associate Agreements) the provisions are explicit

No such thing as unregulated

In cases like HIPAA where third party agreements are spelled out, it doesnt necessarily make it simpler

HIPAA is a legal requirement for the covered entity, but the BA agreements are civil While there is no private right of action against a covered entity (you cant sue them) under HIPAA, the contractual agreement may allow for civil action against third parties While you cannot contractually indemnify parties with respect to violations of the law (HIPAA violations) you CAN indemnify against contract breach

Sometimes there are no audit requirements, just penalties for breach or other evidence of noncompliance (e.g. state breach disclosure laws)

Complicated Landscape

Sometimes, as in the case of US States, regulation is regional

46 of 50 states have laws regarding notification in the case of breach of Personally Identifiable Information (PII.) Each of them are different, some are VERY different. Washington State provides a free pass if the breached entity was PCI Compliant at the time of the breach Global companies with information stored in multiple locations throughout the world have to deal with local law and regulation, wherever they may be

Whos in charge

Break 1

If your customer must comply, they will likely feel that you need to comply as well. EVERYONE tries to spread the liability around Even if folks arent spreading it around, sometimes liability spreads through court action Even without liability or regulatory mandate, being responsible for a breach can be painful

Business Realities

Sometimes, full compliance without the requirement is a marketing tool Even though you arent currently mandated by law, someone in local or federal government is thinking about regulating you count on it. If a customer has to choose between you, and a competitor that is compliant, you lose MOST government regulations regarding information security and assurance are just good sense guidelines, and fairly weak at that.

Good Sense

What if you have to comply with:

CIPA (Children's Internet Protection Act) CISP (Visa Cardholder Information Security Program) PA-DSS (Payment Application Data Security Standard) PCI DSS (Payment Card Industry Data Security Standard) Federal Circular A-123 FFIEC authentication in an electronic banking environment guidance FISMA (Federal Information Security Management Act) GLBA (Gramm-Leach Bliley Act) HIPAA (Health Insurance Portability and Accountability Act) Sarbanes-Oxley Act of 2002 (Public Company Accounting Reform and Investor Protection Act)

This is the SHORT and USA ONLY list

Compliance Costs

Direct Costs

New infrastructure (new firewalls, IDS, logging devices) Additional personnel Internal audit and compliance (time) ??? Opportunity costs Business model restrictions ???

Indirect costs

Compliance Costs (cont.)

Direct Benefit

Marketing Material Sales (base on new marketing) Customer audit readiness ??? Process improvement (CMM style improvements?) Risk reduction ???

Indirect Benefit

Compliance Benefits

Break 2

You are the Director of Security (reporting to the CFO) for HackMeCo subsidiary which HIPAA covered healthcare providers use to examine medical billings and payments for evidence of fraud. All of their billing information flows through you (but you dont do billing). You arent collecting this information, so assume that you are not required to adopt PCI (technically, this may not be true, but lets use that as a baseline assumption) You DID have to sign a Business Associate agreement (sample available) to get Protected Health Information (PHI)

Medicare Billing Fraud Reduction ASP

Nobody is demanding anything, we are operating performing the service we advertise. Customers have asked our salespeople if we are PCI compliant. Our salespeople said Gee, I expect that we are, but Ill ask The truth is, we are not PCI compliant, nor is there a legal requirement for it In a short email, we explained this to the salesperson, who then asked why not (and CCed the CIO and CEO) Not adversarial, just wants a discussion since she sees it as a potential negative.

The Issue of the day

No legal requirement (remember, PCI is industry based, not legal regulation) Even the Payment Card Industry says we dont have to be compliant We have billing data from our clients regarding health care billing, which includes HIPAA protected data as well as credit card info and billing histories You suspect the sales person asking for this is the one stealing your lunch out of the fridge

Our Situation

So far, its just an email conversation but the CIO has called for a meeting of the COO, CIO, Director of Marketing, Director of Operations, You and the Salesperson to discuss. The CFO (your boss) has asked that you research the topic and present your findings to the meeting with your recommendations. Draft an outline of your presentation to the management team

Choose Your Response

Remember, just because you are not forced to comply doesnt mean its necessarily a bad idea Weigh the benefits and costs of compliance or lack of compliance Put a mousetrap in your lunchbox

Suggestions for the assignment