• Home

  • Documents

  • The Challenge of Cyber Incident Response - Beat the Clock
1
The Challenge of Cyber Incident Response - Beat the Clock, with Accuracy Thursday I October 24, 2019 by Joanne Shields, Director, Integreon Once a company recognizes it had a cyber incident, the clock starts and it’s a rather unforgiving taskmaster. The insurance companies, law firms and cyber/computer forensics consultants retained to assist compromised entities often have as little as 45 days to notify affected people about the incident. If really in a pinch, a short extension can be requested in court, but it’s still not a lot of time, especially when dealing with thousands of affected records. Fully responding within this timeframe is a tall order, given that each person whose data was impacted may have had a different mixture of personal identification and health data exposed by the incident. Forensics firms, insurance companies and computer forensics consultants enlist the help of digital or “cyber” detectives to investigate a cyber incident and determine its scope and those potentially impacted. The point of this investigation is to discover if a breach occurred, but also to find out whose data may have been exposed in order to compile a consolidated entity list and notify impacted parties. Failing to make notification within the time allotted can lead to fines and other penalties, not to mention exposure to reputational risk. These consolidated entity lists must be accurate, comprehensive and rapidly generated which calls for quick ramp-up, exceptional planning, experience and seamless execution. The need for speed cannot be prioritized over the importance of accuracy when building a list - both are equally crucial. Done right, cyber incident response teams can build lists quickly to meet pressing deadlines, successfully overcoming obstacles that arise along the way. This requires a well-planned orchestration of the right resources, process and technology. Cyber incident response (CIR) data review is often compared to litigation document review, but these processes differ in many fundamental ways. Lawyers reviewing documents for litigation or compliance are typically reading through documents and emails, tagging items which are relevant to the matter at hand. On the contrary, CIR professionals must be highly analytical, approaching their data review process like detectives searching for lost objects and identifying specific owners of those objects. From a data perspective, each cyber incident has a unique set of circumstances. At the outset of a cyber incident response project, those responsible for creating a consolidated entity list must educate themselves on the nature of the documents they are investigating and learn about their origin, purpose, meaning, associated jargon, and industry acronyms. These projects must be handled carefully, with informed professionals poring over the data. For example, if the compromised organization was a hospital, both health information and personal ID information would most likely be at risk of exposure. Patient information pertaining to diagnoses, health insurance IDs, medications and date of birth could be included in the examined data set. If the breach impacted a clothing retailer’s customers, list development teams could be looking for credit card numbers, addresses and phone numbers. A government agency cyber incident may expose driver’s license or passport numbers, criminal records, or social security numbers. Cultural and linguistic quirks like nicknames can pose challenges for CIR data analysts. The English language is famous for its plethora of nicknames. A man named Robert J. Smith may be called “Bob”, “Bobby”, “Rob”, “RJ” and more. He may sometimes use his middle initial to identify himself, and sometimes not. The job of the analyst is to determine whether all these aliases refer to the same individual, so that person can be notified of all data exposures which pertained to him. If a reviewer mistakenly creates two entries with the same name, the organization relying on their work product will be understandably upset. These duplication errors must be avoided at all costs with assistance from human due diligence and technology tools. Nickname and middle initial variations are two of many potential pitfalls that can thwart construction of a clean notification list. Typos and misspellings such as “Brain” instead of “Brian” or lack of a middle initial can be reconciled by using pivot tables in Excel. Pivot tables allow reviewers to query data entered into Excel, using a unique identifier like a social security number to determine if duplicate entries have been made. Hidden columns or rows in Excel can also conceal data that needs to be examined, so the examiner must look closely to detect even the invisible. Driven by rigorous standards, consolidated entity list development teams will generally run at least 40 standard searches that are checked for misses and cleared every day. Recently introduced data privacy regulations like GDPR have added a level of complexity to CIR work. Since GDPR protects more types of data, there are more incidents, resulting in more notifications taking place. For example, GDPR protects mobile telephone numbers. Imagine how many people include their mobile numbers in their email signatures, meaning that if their email messages are exposed, each message’s email signature with a mobile number must be identified and extracted for notification. GDPR also protects personal information, mentions of which may be woven through records and correspondence. Due to GDPR regulations and also their Canadian equivalent PIPEDA, CIR professionals must add searches to find types of information that compliance earmarks, including personal signatures, marital status, race/ethnicity or sexual orientation, which are all considered private. The United States does not have a national GDPR equivalent yet, though some States have put forth their own data privacy rules and regulations. The California Consumer Privacy Act (CCPA) passed in June 2018 sets forth a stringent set of data privacy guidelines with an imminent compliance deadline of January 1, 2020. Some other states are mobilizing to establish their own privacy protections as well. Certainly, California’s strict approach sets a strong first example of what’s to come for other states. Technology tools are used throughout the CIR process, but the process cannot be fully automated without human leadership and analysis. Electronic discovery and document review software can be reverse engineered to assist CIR notification and tools specifically for cyber incident use have recently emerged and are gaining traction fast. However, technology tools alone cannot reliably determine if the information is or is not deemed provide based on the various applicable laws. For example, if you searched for the word “Medicare” on documents coming out of a human resources breach that had paycheck stubs, almost all of these hits would be FALSE or not applicable. This is because the Medicare mentions are mostly attributed to Medicare fees being deducted from everyone’s paycheck, not indicating that the individual has Medicare as his or her primary insurance provider. In most cases, employees do not have Medicare based on the fact that they are still working. However, if your data set comes from a compromised health services provider, you will get many TRUE or positive hits on Medicare because Medicare is the patient’s insurance provider. There are hundreds of other examples like this which make human judgment incredibly important in the cyber consolidated entity list development and notification process. Cyber incidents are definitely on the rise, and companies must face the fact that they may be impacted more than once, perhaps multiple times. Computer forensics and cybersecurity consultants, law firms and insurance companies assisting these clients must include acumen for consolidated entity lists into their overall response process, whether they provide these services themselves or bring in a qualified partner. Those who do this work must be experienced at diving in and building lists quickly, sometimes maintaining 24/7 schedules across the globe to ensure quality work done, on time. Once begun, the cyber clock stops for no one, so CIR teams must beat the clock and deliver the consolidated entity list without fail, every time. About the Author Joanne Shields is a Director at Integreon, a global alternative legal service provider (ALSP). An attorney with deep experience with data and document review, Shields leads data review teams for Integreon’s Cyber Incident Response (CIR) service group at the company’s service delivery center in Noida, India. About Integreon Integreon is a trusted, global provider of award-winning legal and business solutions to leading law firms, corporations and professional services firms. We apply a highly trained, experienced staff of 2,400 associates globally to a wide range of problems that require scale and expertise, enabling clients to become more operationally efficient by streamlining operations, maximizing investment and improving the quality of work they provide their end clients. With delivery centers on three continents, Integreon offers multi-lingual, around-the-clock support, as well as onshore, offshore and onsite delivery of our award-winning services. For more information about Integreon’s extensive range of services Email: [email protected], Visit: www.integreon.com and Follow: Cyber incident response (CIR) data review is often compared to litigation document review, but these processes differ in many fundamental ways. Technology tools are used throughout the CIR process, but the process cannot be fully automated without human leadership and analysis.

The Challenge of Cyber Incident Response - Beat the Clock

  • Upload
    others

  • View
    4

  • Download
    0

Embed Size (px)

Citation preview

Page 1: The Challenge of Cyber Incident Response - Beat the Clock

The Challenge of Cyber Incident Response - Beat the Clock, with AccuracyThursday I October 24, 2019

by Joanne Shields, Director, Integreon

Once a company recognizes it had a cyber incident, the clock starts and it’s a rather unforgiving taskmaster.

The insurance companies, law firms and cyber/computer forensics consultants retained to assist compromised entities often have as little as 45 days to notify affected people about the incident. If really in a pinch, a short extension can be requested in court, but it’s still not a lot of time, especially when dealing with thousands of affected records. Fully responding within this timeframe is a tall order, given that each person whose data was impacted may have had a different mixture of personal identification and health data exposed by the incident.

Forensics firms, insurance companies and computer forensics consultants enlist the help of digital or “cyber” detectives to investigate a cyber incident and determine its scope and those potentially impacted. The point of this investigation is to discover if a breach occurred, but also to find out whose data may have been exposed in order to compile a consolidated entity list and notify impacted parties. Failing to make notification within the time allotted can lead to fines and other penalties, not to mention exposure to reputational risk.

These consolidated entity lists must be accurate, comprehensive and rapidly generated which calls for quick ramp-up, exceptional planning, experience and seamless execution. The need for speed cannot be prioritized over the importance of accuracy when building a list - both are equally crucial. Done right, cyber incident response teams can build lists quickly to meet pressing deadlines, successfully overcoming obstacles that arise along the way. This requires a well-planned orchestration of the right resources, process and technology.

Cyber incident response (CIR) data review is often compared to litigation document review, but these processes differ in many fundamental ways. Lawyers reviewing documents for litigation or compliance are typically reading through documents and emails, tagging items which are relevant to the matter at hand. On the contrary, CIR professionals must be highly analytical, approaching their data review process like detectives searching for lost objects and identifying specific owners of those objects.

From a data perspective, each cyber incident has a unique set of circumstances. At the outset of a cyber incident response project, those responsible for creating a consolidated entity list must educate themselves on the nature of the documents they are investigating and learn about their origin, purpose, meaning, associated jargon, and industry acronyms. These projects must be handled carefully, with informed professionals poring over the data.

For example, if the compromised organization was a hospital, both health information and personal ID information would most likely be at risk of exposure. Patient information pertaining to diagnoses, health insurance IDs, medications and date of birth could be included in the examined data set. If the breach impacted a clothing retailer’s customers, list development teams could be looking for credit card numbers, addresses and phone numbers. A government agency cyber incident may expose driver’s license or passport numbers, criminal records, or social security numbers.

Cultural and linguistic quirks like nicknames can pose challenges for CIR data analysts. The English language is famous for its plethora of nicknames. A man named Robert J. Smith may be called “Bob”, “Bobby”, “Rob”, “RJ” and more. He may sometimes use his middle initial to identify himself, and sometimes not. The job of the analyst is to determine whether all these aliases refer to the same individual, so that person can be notified of all data exposures which pertained to him. If a reviewer mistakenly creates two entries with the same name, the organization relying on their work product will be understandably upset. These duplication errors must be avoided at all costs with assistance from human due diligence and technology tools.

Nickname and middle initial variations are two of many potential pitfalls that can thwart construction of a clean notification list. Typos and misspellings such as “Brain” instead of “Brian” or lack of a middle initial can be reconciled by using pivot tables in Excel. Pivot tables allow reviewers to query data entered into Excel, using a unique identifier like a social security number to determine if duplicate entries have been made. Hidden columns or rows in Excel can also conceal data that needs to be examined, so the examiner must look closely to detect even the invisible. Driven by rigorous standards, consolidated entity list development teams will generally run at least 40 standard searches that are checked for misses and cleared every day.

Recently introduced data privacy regulations like GDPR have added a level of complexity to CIR work. Since GDPR protects more types of data, there are more incidents, resulting in more notifications taking place. For example, GDPR protects mobile telephone numbers. Imagine how many people include their mobile numbers in their email signatures, meaning that if their email messages are exposed, each message’s email signature with a mobile number must be identified and extracted for notification.

GDPR also protects personal information, mentions of which may be woven through records and correspondence. Due to GDPR regulations and also their Canadian equivalent PIPEDA, CIR professionals must add searches to find types of information that compliance earmarks, including personal signatures, marital status, race/ethnicity or sexual orientation, which are all considered private.

The United States does not have a national GDPR equivalent yet, though some States have put forth their own data privacy rules and regulations. The California Consumer Privacy Act (CCPA) passed in June 2018 sets forth a stringent set of data privacy guidelines with an imminent compliance deadline of January 1, 2020. Some other states are mobilizing to establish their own privacy protections as well. Certainly, California’s strict approach sets a strong first example of what’s to come for other states.

Technology tools are used throughout the CIR process, but the process cannot be fully automated without human leadership and analysis. Electronic discovery and document review software can be reverse engineered to assist CIR notification and tools specifically for cyber incident use have recently emerged and are gaining traction fast. However, technology tools alone cannot reliably determine if the information is or is not deemed provide based on the various applicable laws.

For example, if you searched for the word “Medicare” on documents coming out of a human resources breach that had paycheck stubs, almost all of these hits would be FALSE or not applicable. This is because the Medicare mentions are mostly attributed to Medicare fees being deducted from everyone’s paycheck, not indicating that the individual has Medicare as his or her primary insurance provider. In most cases, employees do not have Medicare based on the fact that they are still working. However, if your data set comes from a compromised health services provider, you will get many TRUE or positive hits on Medicare because Medicare is the patient’s insurance provider. There are hundreds of other examples like this which make human judgment incredibly important in the cyber consolidated entity list development and notification process.

Cyber incidents are definitely on the rise, and companies must face the fact that they may be impacted more than once, perhaps multiple times. Computer forensics and cybersecurity consultants, law firms and insurance companies assisting these clients must include acumen for consolidated entity lists into their overall response process, whether they provide these services themselves or bring in a qualified partner. Those who do this work must be experienced at diving in and building lists quickly, sometimes maintaining 24/7 schedules across the globe to ensure quality work done, on time. Once begun, the cyber clock stops for no one, so CIR teams must beat the clock and deliver the consolidated entity list without fail, every time.

About the AuthorJoanne Shields is a Director at Integreon, a global alternative legal service provider (ALSP). An attorney with deep experience with data and document review, Shields leads data review teams for Integreon’s Cyber Incident Response (CIR) service group at the company’s service delivery center in Noida, India.

About IntegreonIntegreon is a trusted, global provider of award-winning legal and business solutions to leading law firms, corporations and professional services firms. We apply a highly trained, experienced staff of 2,400 associates globally to a wide range of problems that require scale and expertise, enabling clients to become more operationally efficient by streamlining operations, maximizing investment and improving the quality of work they provide their end clients. With delivery centers on three continents, Integreon offers multi-lingual, around-the-clock support, as well as onshore, offshore and onsite delivery of our award-winning services.

For more information about Integreon’s extensive range of servicesEmail: [email protected], Visit: www.integreon.com and Follow:

Cyber incident response (CIR) data review is often compared to litigation document review, but these processes differ in many fundamental ways.

Technology tools are used throughout the CIR process, but the process cannot be fully automated without human leadership and analysis.

https://www.integreon.com/
mailto:[email protected]
https://www.linkedin.com/company/integreon
https://www.twitter.com/Integreon
https://www.facebook.com/Integreon/

Distributed Algorithms Clock Synchronization Clock

Distributed Algorithms Clock Synchronization Clock

Documents
Beat the beat

Beat the beat

Business
Making Your Personal Beat and Buying Beat

Making Your Personal Beat and Buying Beat

Entertainment & Humor
CDCE62005 3:5 Clock Generator, Jitter Cleaner with ... · PDF fileSerDes Cleaned Clock Data DSP CDCE62005 Recovered Clock DSP Clock ADC Clock ADC Clock DAC Clock Product Folder Sample

CDCE62005 3:5 Clock Generator, Jitter Cleaner with ... · PDF fileSerDes Cleaned Clock Data DSP CDCE62005 Recovered Clock DSP Clock ADC Clock ADC Clock DAC Clock Product Folder Sample

Documents
htv-prod-media.s3.amazonaws.com · Division: 3 DISTRICT Beat: 322 Incident/lnvestigation Report Weight Case Number: 80-20-017049 Offenders Case Status:OPEN ACTIVE Seq. # AKA Agency:

htv-prod-media.s3.amazonaws.com · Division: 3 DISTRICT Beat: 322 Incident/lnvestigation Report Weight Case Number: 80-20-017049 Offenders Case Status:OPEN ACTIVE Seq. # AKA Agency:

Documents
Identifying Hardware Components in a Computer (continued) Clock Speed (continued) The computer has a system clock that generates a regular electronic beat

Identifying Hardware Components in a Computer (continued) Clock Speed (continued) The computer has a system clock that generates a regular electronic beat

Documents
UNDP Beat The Clock Champaign Poster GRN FINAL 5 PRINT · Title: UNDP_ Beat The Clock Champaign_Poster_GRN_FINAL 5_PRINT Created Date: 20171124183459Z

UNDP Beat The Clock Champaign Poster GRN FINAL 5 PRINT · Title: UNDP_ Beat The Clock Champaign_Poster_GRN_FINAL 5_PRINT Created Date: 20171124183459Z

Documents
Beat Sound, Beat Vision; The Beat Spirit and Popular Song by Laurence Coupe

Beat Sound, Beat Vision; The Beat Spirit and Popular Song by Laurence Coupe

Documents
Beat the Clock - Becker's Hospital Review › pdfs › 09.19... · 2018-08-28 · Beat the Clock Solving for Contingent ... Desktop, Tablet, Mobile, Wearable Customizable by Client

Beat the Clock - Becker's Hospital Review › pdfs › 09.19... · 2018-08-28 · Beat the Clock Solving for Contingent ... Desktop, Tablet, Mobile, Wearable Customizable by Client

Documents
UNDP Beat The Clock Champaign Poste DOM …...Title UNDP_ Beat The Clock Champaign_Poste_DOM_FINAL 5_PRINT Created Date 20171124181431Z

UNDP Beat The Clock Champaign Poste DOM …...Title UNDP_ Beat The Clock Champaign_Poste_DOM_FINAL 5_PRINT Created Date 20171124181431Z

Documents
Getting Started with Incident Response...Getting Started with Incident Response Ensuring your organization can detect, respond to and recover from incidents when the clock is ticking

Getting Started with Incident Response...Getting Started with Incident Response Ensuring your organization can detect, respond to and recover from incidents when the clock is ticking

Documents
9 on demand beat the clock

9 on demand beat the clock

Documents
5 instances where property managers have to beat the clock to ace their gam

5 instances where property managers have to beat the clock to ace their gam

Documents
Al Mann - The Four O' Clock Incident

Al Mann - The Four O' Clock Incident

Documents
Beat! Beat! Drums!

Beat! Beat! Drums!

Documents
07/24/2015 Beat The Clock Report for District 01 Page 1 of 101...07/24/2015 Beat The Clock Report for District 01 Page 1 of 101 Period Ending: 06/30/2015 00000011 E 03 Long Beach Gavel

07/24/2015 Beat The Clock Report for District 01 Page 1 of 101...07/24/2015 Beat The Clock Report for District 01 Page 1 of 101 Period Ending: 06/30/2015 00000011 E 03 Long Beach Gavel

Documents
Beat Beat Beat 2

Beat Beat Beat 2

Documents
SLOW DOWN, WITHOUT MISSING A BEAT€¦ · slow down, without missing a beat handy size tangent quattro internet radio tangent trio dab radio tangent duo clock radio tangent cinque

SLOW DOWN, WITHOUT MISSING A BEAT€¦ · slow down, without missing a beat handy size tangent quattro internet radio tangent trio dab radio tangent duo clock radio tangent cinque

Documents
September 6, 2016 Edition - ihca.com Beat - September 6... · that include annual, complaint, follow-up, initial, incident report and ... 925 surveys per month including ... focused

September 6, 2016 Edition - ihca.com Beat - September 6... · that include annual, complaint, follow-up, initial, incident report and ... 925 surveys per month including ... focused

Documents
U.S. Department of Transportation INCIDENT REPORT – Report ...€¦ · A4. Earliest local time (24-hr clock) and date an incident reporting criteria was met: ... Local time of final

U.S. Department of Transportation INCIDENT REPORT – Report ...€¦ · A4. Earliest local time (24-hr clock) and date an incident reporting criteria was met: ... Local time of final

Documents
Ward Employee S.No. Zone No. Beat No. Beat I.D. Beat

Ward Employee S.No. Zone No. Beat No. Beat I.D. Beat

Documents
Incident Management help topics for printing - … · Toviewyourfavorites,clickFavorites and Dashboards >Incident Management.HPServiceManager. Incident. incident incident incident

Incident Management help topics for printing - … · Toviewyourfavorites,clickFavorites and Dashboards >Incident Management.HPServiceManager. Incident. incident incident incident

Documents
ELEMENTS | SKILLSRHYTHM BEAT • Steady beat • Steady beat • Steady beat • Steady beat • Steady beat ... notes, quarter rest, four beamed sixteenth notes, half note, whole•

ELEMENTS | SKILLSRHYTHM BEAT • Steady beat • Steady beat • Steady beat • Steady beat • Steady beat ... notes, quarter rest, four beamed sixteenth notes, half note, whole•

Documents
Beat the Clock: Finding the Gremlins Behind Slow Mobile Page Loads

Beat the Clock: Finding the Gremlins Behind Slow Mobile Page Loads

Technology
A Beat Generation - Historisk Metode - Starthistoriskmetode.weebly.com/.../srp_-_beat_generationen_.docx · Web viewA Beat Generation A Beat Generation A Beat Generation ABSTRACT

A Beat Generation - Historisk Metode - Starthistoriskmetode.weebly.com/.../srp_-_beat_generationen_.docx · Web viewA Beat Generation A Beat Generation A Beat Generation ABSTRACT

Documents
11 - 1DT085 L10 pipeline2 - Uppsala University · 2011-11-23 · Compiler can insert nops Clock Cycle 1 Clock Cycle 2 Clock Cycle 3 Clock Cycle 4 Clock Cycle 5 Clock Cycle 6 Clock

11 - 1DT085 L10 pipeline2 - Uppsala University · 2011-11-23 · Compiler can insert nops Clock Cycle 1 Clock Cycle 2 Clock Cycle 3 Clock Cycle 4 Clock Cycle 5 Clock Cycle 6 Clock

Documents
August2014 Shot Spotter Report - City of Oakland · Incident Type July August % Change August 2013 ... BEAT COUNT BEAT COUNT BEAT COUNT 25X 16 30X 31 30X 36 21Y 15 34X 27 34X 32 29X

August2014 Shot Spotter Report - City of Oakland · Incident Type July August % Change August 2013 ... BEAT COUNT BEAT COUNT BEAT COUNT 25X 16 30X 31 30X 36 21Y 15 34X 27 34X 32 29X

Documents
Beat The Clock

Beat The Clock

Documents
“Racing to Beat the Clock”web.biosci.utexas.edu/field/BIO361P/ppt/Sample_Alberta...“Racing to Beat the Clock” Texas-Sized Issues Associated with the Transportation of Select

“Racing to Beat the Clock”web.biosci.utexas.edu/field/BIO361P/ppt/Sample_Alberta...“Racing to Beat the Clock” Texas-Sized Issues Associated with the Transportation of Select

Documents
6 Time Management Insights That Beat The Clock

6 Time Management Insights That Beat The Clock

Business